11-14-2010 08:53 PM - edited 03-11-2019 12:09 PM
Helo all,
I'm unable to connect to a host in a DMZ (interface has security level 10), from a host on an "inside" network with security level 100. The host on the DMZ net can ping it's gateway, and the "inside" host can ping its gateway. I've applied a rule on the inside interface to allow the host to connect using RDP, FTP, and FTP-data. I've also set up static identity NATs between the two interfaces. The packet tracer shows RDP and FTP packets should pass, and when I attempt to connect from the inside host to the DMZ I can see the connection being made in the firewalls log, but I still can't connect.
To verify remote desktop and the FTP server were working I the host to another network (security level 100) and was able to connect.
Here's the pertinent config entries. If I need to provide more information, please let me know.
interface Ethernet0/1
switchport access vlan 50
interface Vlan50
nameif dmz
security-level 10
ip address 192.168.50.1 255.255.255.0same-security-traffic permit inter-interface
same-security-traffic permit intra-interfaceobject-group service DM_INLINE_TCP_2 tcp
group-object RDP
port-object eq ftp
port-object eq ftp-dataaccess-list systems_access_in extended permit tcp object-group office_SysAdmin host RPOFCFTP object-group DM_INLINE_TCP_2
static (dmz,systems) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (systems,dmz) 192.168.250.0 192.168.250.0 netmask 255.255.255.0
Any help is greatly appreciated...
Solved! Go to Solution.
11-14-2010 09:03 PM
Base on the configuration, assuming that you are trying to access DMZ from "systems" interface, the following static NAT needs to be removed as it is not required:
no static (dmz,systems) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
Then, please perform "clear xlate"
To test connectivity via RDP, can you please test to see if you can telnet on port 3389, and for FTP, see if you can telnet on port 21 and getting a prompt.
You might want to share the configuration on:
1) Object-group office_SysAdmin
2) IP Address of host RPOFCFTP
3) Group-object RDP
11-14-2010 09:02 PM
Please disregard. The problem was due to a bad route on the inside host.
11-14-2010 09:05 PM
No worries, please mark it as solved then. Thanks..
11-14-2010 09:03 PM
Base on the configuration, assuming that you are trying to access DMZ from "systems" interface, the following static NAT needs to be removed as it is not required:
no static (dmz,systems) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
Then, please perform "clear xlate"
To test connectivity via RDP, can you please test to see if you can telnet on port 3389, and for FTP, see if you can telnet on port 21 and getting a prompt.
You might want to share the configuration on:
1) Object-group office_SysAdmin
2) IP Address of host RPOFCFTP
3) Group-object RDP
11-14-2010 09:06 PM
Thanks Jennifer for the reply. I've removed the extra nat statement...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide