Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
561
Views
0
Helpful
3
Replies

Give inside hosts rpc access to dmz hosts

Jean Paul Enerst
Level 3
Level 3

‎10-27-2010 10:35 AM - edited ‎03-11-2019 12:01 PM

Hi Guys,

           There is my dilemma, I need to give some inside host(host in the inside subnet) rpc access to a server a nother dmz. Let's call it dmz 16. DMZ 16 has a security level of 90 and my inside has sec level of 100. Therefore, my inside host should be accessed my dmz16, unless an explicit deny, right? For dmz16 host to host my inside, i need to permit traffic coming (ACL). Packet tracert in the FW shows that traffic from inside is permited in DMZ16 as expected.Now, traffic from dmz16 are still deny in the inside interface even though I add an acl:

access-list Inside_access_in line 48 remark DMZ3 RPC Access to SERVER VLAN
    access-list Inside_access_in line 49 extended permit udp 20.5.3.0 255.255.255.0 10.11.xx.0 255.255.xx.0 range 135 139

access-list Inside_access_in line 52 remark IT VLAN RPC Access to DMZ3
      access-list Inside_access_in line 53 extended permit udp 20.5.3.0 255.255.255.0 10.zz.xx.0 255.255.255.0 range 135 139


DMZ16: 20.5.3.0/24 (NOT THE REAL IP)

INSIDE: 10.10.0.0/24 (NOT THE REAL IP)

Thanks,

Jean Paul

Labels:
0 Helpful
3 Replies 3

Panos Kampanakis
Cisco Employee
Cisco Employee

‎10-27-2010 11:45 AM

Check if you have hitcounts on the ACL lines.

Also from dmz to inside and inside to dmz check if you need translations and if they are correct.

Also enable "inspect dcerpc" under the global policy.

I hope it helps.

PK

0 Helpful

Jean Paul Enerst
Level 3
Level 3
In response to Panos Kampanakis

‎10-27-2010 12:27 PM

Hi PK,

             I enabled inspect dcerpc as you have advice,but that did not change any thing. But one thing that found out is, in my ACL i enabled port range 135-139,but when i check in the default inspection table, port 137-138 are netbios and rpc is 111. I haven't in port settings yet, do you that might be the issue?

As mentioned in the previous post, my ACLs are correct. I even add an ACL in the DMZ16 which I totally don't need as this DMZ has a lower sec level and permit ip for the internal network..

Thanks,

Jean Paul

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to Jean Paul Enerst

‎10-27-2010 12:52 PM

You need to dmz16 ACL. High to low is allowed by default. so you wouldn't need the inside, but you would need the dmz16 acl.

I am not sure if the ports are the issue. Go ahead anc heck your logs thaty you have for these ip addresses and see if these reveal any failures.

PK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card