Skip to main content

Inside to DMZ communication

More
17 years 6 months ago #21553 by skepticals
I wanted to clarify a few things.

I am attempting to allow remote desktop (port 3389) to a computer in the DMZ. I want to limit access from the inside network only. I attempted to make a rule using the ASDM on an ASA 5510 with no luck.

Inside: 10.3.x.x
DMZ: 172.16.x.x
Host: 172.16.x.3

Should I only have to allow traffic from the Inside interface to the host 172.16.x.3 on port 3389?

How is traffic handles between interfaces? If I am on a host in the Inside network: 10.3.4.10 and want to access the host in the DMZ, what is the best approach.

I tried configuring it several ways. I applied the rule to the DMZ interface inbound and allowed port 3389 to host 172.16.x.3. Is this the correct approach?

Thanks.
More
17 years 6 months ago #21554 by Smurf
I would apply this to the inside interface. The DMZ interface should be used to permit allowable traffic from the DMZ Network. Remember, its a stateful firewall so for traffic allowed from the Inside network to the DMZ server on port 3389, return traffic will automatically be allowed back through the DMZ interface.

The rule should be something like;

access-list permit-inside extended permit tcp host 10.3.4.10 host 172.16.x.3 eq 3389

Cheers

Wayne

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 6 months ago #21556 by skepticals
If I understand you correctly, you would apply this to the inside interface in the outgoing direction? And, have the rule allow traffic from the inside network to the host on the DMZ.

I guess I should always apply my rules to the closest interface?
More
17 years 6 months ago #21557 by Smurf
I always do it for In directions, it saves the traffic getting into the firewall. I have never really used OUT for anything since if the IN traffic is configured correctly on all interfaces then configuring out access-lists aswell just complicates debugging (in my opinion) :)

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 6 months ago #21558 by skepticals
Now, I am confused.

If I apply the rule inward on the inside interface, is the traffic already allowed from the inside interface to the host on the DMZ? (Possibly because of the 50 VS 100 security levels)

With that said, if I do not apply a rule at all, the 3389 traffic is already allowed out the inside interface and in the DMZ interface, it just can't return? But, I didn't think this makes sense because it is a stateful firewall; so if the traffic is already allowed out, it should be allowed in.

Apparently my mind is not working right now. Can you clear this up?
More
17 years 6 months ago #21590 by anti-hack
Hi,

the way i have done it before is,

First there has to be a translation from the inside network to the DMZ.

Secondly, by default the inside interface is on a higher security level then the DMZ, if there is no access-list on the Inside interface then nothing else needs to be done, you can access RDP directly. If there is an access-list on the Inside interface then you need to allow the host to the particular machine on the DMZ.

something like;

static (inside, dmz) 10.3.x.x 10.3.x.x netmask 255.255.255.255 0 0

this should work;

please update
Time to create page: 0.133 seconds