dmz to inside for terminal server only

Unanswered Question
Jun 26th, 2008
User Badges:

Hi!


Can anybody give me the config to allow clients coming from dmz 192.168.22.0 access my terminal server (192.168.2.2) through inside 192.168.2.3 interface of pix and dmz to my isp router (public IP)through the outside interface (public ip) of pix.


I read the doc Enable Comm Between Interface but could not find the specific config that i need.


Secondly, if i want to use dmz for a second internal network then what security level should be used since 100 is reserved for inside?

Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dhananjoy chowdhury Sat, 06/28/2008 - 06:42
User Badges:
  • Silver, 250 points or more

hi,

I believe you have resolved this as I could see a post for allowing DMZ to outside..

Anyway, here is the common setup

Outside- sec level 0

Inside - sec level 100

DMZ - sec level 50


Now for dmz(192.168.22.0) to access the Terminal server inside(192.168.2.2) it requires access list :


access-list dmz-inside-allow extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.2.2 eq 3389

access-group dmz-inside-allow in interface dmz



Marwan ALshawi Sun, 06/29/2008 - 20:31
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

try this


static (inside, DMZ) 192.168.2.2 192.168.2.2 mask 255.255.255.255


then make the same ACL mentioned in te revous post which is

access-list dmz-inside-allow extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.2.2 eq 3389

access-group dmz-inside-allow in interface dmz


then for DMZ to ur ISP OUSIDE interface do the following


nat (DMZ) 1 192.168.22.0

global (ouside) 1 interface

if u have static IP from your ISP you can put it instead of the interface word


also if you want access from inside to the internet

add this command

nat (inside) 1 192.168.2.0


rate if helpful, and good luck

Actions

This Discussion