Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

dmz to inside for terminal server only

Hi!

Can anybody give me the config to allow clients coming from dmz 192.168.22.0 access my terminal server (192.168.2.2) through inside 192.168.2.3 interface of pix and dmz to my isp router (public IP)through the outside interface (public ip) of pix.

I read the doc Enable Comm Between Interface but could not find the specific config that i need.

Secondly, if i want to use dmz for a second internal network then what security level should be used since 100 is reserved for inside?

Thanks!

2 REPLIES

Re: dmz to inside for terminal server only

hi,

I believe you have resolved this as I could see a post for allowing DMZ to outside..

Anyway, here is the common setup

Outside- sec level 0

Inside - sec level 100

DMZ - sec level 50

Now for dmz(192.168.22.0) to access the Terminal server inside(192.168.2.2) it requires access list :

access-list dmz-inside-allow extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.2.2 eq 3389

access-group dmz-inside-allow in interface dmz

Re: dmz to inside for terminal server only

try this

static (inside, DMZ) 192.168.2.2 192.168.2.2 mask 255.255.255.255

then make the same ACL mentioned in te revous post which is

access-list dmz-inside-allow extended permit tcp 192.168.22.0 255.255.255.0 host 192.168.2.2 eq 3389

access-group dmz-inside-allow in interface dmz

then for DMZ to ur ISP OUSIDE interface do the following

nat (DMZ) 1 192.168.22.0

global (ouside) 1 interface

if u have static IP from your ISP you can put it instead of the interface word

also if you want access from inside to the internet

add this command

nat (inside) 1 192.168.2.0

rate if helpful, and good luck

141
Views
0
Helpful
2
Replies
CreatePlease login to create content