dmz to inside for terminal server only

cscisco_admin · ‎06-26-2008

Hi!

Can anybody give me the config to allow clients coming from dmz 192.168.22.0 access my terminal server (192.168.2.2) through inside 192.168.2.3 interface of pix and dmz to my isp router (public IP)through the outside interface (public ip) of pix.

I read the doc Enable Comm Between Interface but could not find the specific config that i need.

Secondly, if i want to use dmz for a second internal network then what security level should be used since 100 is reserved for inside?

Thanks!

dhananjoy chowdhury · ‎06-28-2008

hi,

I believe you have resolved this as I could see a post for allowing DMZ to outside..

Anyway, here is the common setup

Outside- sec level 0

Inside - sec level 100

DMZ - sec level 50

Now for dmz(192.168.22.0) to access the Terminal server inside(192.168.2.2) it requires access list :

access-list dmz-inside-allow extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.2.2 eq 3389

access-group dmz-inside-allow in interface dmz

Marwan ALshawi · ‎06-29-2008

try this

static (inside, DMZ) 192.168.2.2 192.168.2.2 mask 255.255.255.255

then make the same ACL mentioned in te revous post which is

access-list dmz-inside-allow extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.2.2 eq 3389

access-group dmz-inside-allow in interface dmz

then for DMZ to ur ISP OUSIDE interface do the following

nat (DMZ) 1 192.168.22.0

global (ouside) 1 interface

if u have static IP from your ISP you can put it instead of the interface word

also if you want access from inside to the internet

add this command

nat (inside) 1 192.168.2.0

rate if helpful, and good luck