Allowing RDP traffic

kcgpassport · ‎08-12-2008

I am using a Cisco PIX 515e with three interfaces outside, inside, DMZ. I am providing VPN access via the pix the issue I am having is when I connect to my network via VPN I cannot RDP to servers in my DMZ. I can RDP to servers on my internal network.

When I connect to the VPN I get an IP address of 192.168.10.x, My inside IP addresses are 192.168.1.x my DMZ addresses are 192.168.5.x.

I created an ACL to allow traffic over port 3389 (RDP) from 192.168.10.0 to 192.168.5.13 (server in my dmz) the acl looks like:

access-list vpn_access_dmz permit tcp host 192.168.10.0 host 192.168.5.13 eq 3389

The issue is I am not sure which interface this access list should be applied to (inside, outside, dmz?) Does anyone have an idea or can give me some pointers?

Thanks for any help!

Bill

acomiskey · ‎08-12-2008

Don't worry about that access list, you shouldn't need it.

You most likely need to add nat exemption for the dmz hosts.

access-list DMZ_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (DMZ) 0 access-list DMZ_nat0_outbound

kcgpassport · ‎08-12-2008

Thanks for the help, in your access-list command what is the 'extended' command for?

ray_stone · ‎08-12-2008

it is used for (Outbond) connection.

acomiskey · ‎08-12-2008

Sorry, I had ASA on the brain, you don't need "extended".

access-list DMZ_nat0_outbound permit ip 192.168.5.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (DMZ) 0 access-list DMZ_nat0_outbound