Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Give inside hosts rpc access to dmz hosts

Hi Guys,

           There is my dilemma, I need to give some inside host(host in the inside subnet) rpc access to a server a nother dmz. Let's call it dmz 16. DMZ 16 has a security level of 90 and my inside has sec level of 100. Therefore, my inside host should be accessed my dmz16, unless an explicit deny, right? For dmz16 host to host my inside, i need to permit traffic coming (ACL). Packet tracert in the FW shows that traffic from inside is permited in DMZ16 as expected.Now, traffic from dmz16 are still deny in the inside interface even though I add an acl:

access-list Inside_access_in line 48 remark DMZ3 RPC Access to SERVER VLAN
    access-list Inside_access_in line 49 extended permit udp 20.5.3.0 255.255.255.0 10.11.xx.0 255.255.xx.0 range 135 139

access-list Inside_access_in line 52 remark IT VLAN RPC Access to DMZ3
      access-list Inside_access_in line 53 extended permit udp 20.5.3.0 255.255.255.0 10.zz.xx.0 255.255.255.0 range 135 139


DMZ16: 20.5.3.0/24 (NOT THE REAL IP)

INSIDE: 10.10.0.0/24 (NOT THE REAL IP)

Thanks,

Jean Paul

3 REPLIES
Cisco Employee

Re: Give inside hosts rpc access to dmz hosts

Check if you have hitcounts on the ACL lines.

Also from dmz to inside and inside to dmz check if you need translations and if they are correct.

Also enable "inspect dcerpc" under the global policy.

I hope it helps.

PK

New Member

Re: Give inside hosts rpc access to dmz hosts

Hi PK,

             I enabled inspect dcerpc as you have advice,but that did not change any thing. But one thing that found out is, in my ACL i enabled port range 135-139,but when i check in the default inspection table, port 137-138 are netbios and rpc is 111. I haven't in port settings yet, do you that might be the issue?

As mentioned in the previous post, my ACLs are correct. I even add an ACL in the DMZ16 which I totally don't need as this DMZ has a lower sec level and permit ip for the internal network..

Thanks,

Jean Paul

Cisco Employee

Re: Give inside hosts rpc access to dmz hosts

You need to dmz16 ACL. High to low is allowed by default. so you wouldn't need the inside, but you would need the dmz16 acl.

I am not sure if the ports are the issue. Go ahead anc heck your logs thaty you have for these ip addresses and see if these reveal any failures.

PK

405
Views
0
Helpful
3
Replies
CreatePlease to create content