cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
352
Views
0
Helpful
0
Replies
hoaithanhdo
Beginner

Cannot access DMZ host from any hosts ( inbound flows)

Hello , 

I have configured some rule in my firewall allow remote desktop gateway rdp to dmz host but when i tried packet-tracer is fail and i got some logs as follows . Could you give me the best solution for resolve this issue ?.

Many Thanks !

packet-tracer input FRLIEINS-VLAN712-DMZ-LIETEL12 tcp 10.92.197.52 3389 10.177.112.1 3389

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.177.112.0    255.255.255.240 FRLIEINS-VLAN712-DMZ-LIETEL12

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7a517100, priority=11, domain=permit, deny=true

        hits=4625, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

        input_ifc=FRLIEINS-VLAN712-DMZ-LIETEL12, output_ifc=any

 

Result:

input-interface: FRLIEINS-VLAN712-DMZ-LIETEL12

input-status: up

input-line-status: up

output-interface: FRLIEINS-VLAN712-DMZ-LIETEL12

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

 

#configuration#

interface GigabitEthernet0/2.712

  vlan 712

  nameif FRLIEINS-VLAN712-DMZ-LIETEL12

  security-level 15

  ip address 10.177.112.14 255.255.255.240 standby 10.177.112.13

 

access-list FRLIEINS-VLAN712-DMZ-LIETEL12_out extended permit tcp object-group Grp-RDGclient object FRLIEINS-VLAN712-DMZ-LIETEL12 eq 3389

access-group FRLIEINS-VLAN712-DMZ-LIETEL12_out out interface FRLIEINS-VLAN712-DMZ-LIETEL12

 

object network FRLIEINS-VLAN712-DMZ-LIETEL12

 description TDO-TASK-DMZ-LIETEL12

 subnet 10.177.112.0 255.255.255.240

 

object-group network Grp-RDGclient

 network-object host 10.92.197.52

 network-object host 10.92.37.52

0 REPLIES 0
Create
Recognize Your Peers
Content for Community-Ad