- Posts: 68
- Thank you received: 0
RDP through ASA 5505 from Inside-to-DMZ
16 years 2 months ago #27396
by sys-halt
RDP through ASA 5505 from Inside-to-DMZ was created by sys-halt
hi, our company got ASA 5505, one interface is configured as inside and other interface as dmz1.
Ethernet 0/1 is configured as the inside interface for my Internal Network, where all employees PC's reside.
Ethernet 0/2 is configured as dmz1. I have Windows Server 2003 acting as an edge transport with Terminal Services installed and configured.
the idea is that I need to allow my Inside Network to have the capability of opening a remote desktop connection with my edge transport server, Win 2003.
here is the basic setup:
Interface Vlan 2
nameif dmz1
security-level 20
ip address 192.168.1.1 255.255.255.0
Interface Vlan 3
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
Ethernet 0/1
switchport access vlan 3
no shut
Ethernet 0/2
switchport access vlan 2
no shut
since the ASA firewall works its way from high-sec to low-sec. Do I really have to create an access-list with a static translation slot to allow remote desktop connection from Inside with sec-level of 100 to the dmz1 with sec-level of 20?
If I do have to create an access-list for it could you please guide me through the proper syntax to achieve it.
Ethernet 0/1 is configured as the inside interface for my Internal Network, where all employees PC's reside.
Ethernet 0/2 is configured as dmz1. I have Windows Server 2003 acting as an edge transport with Terminal Services installed and configured.
the idea is that I need to allow my Inside Network to have the capability of opening a remote desktop connection with my edge transport server, Win 2003.
here is the basic setup:
Interface Vlan 2
nameif dmz1
security-level 20
ip address 192.168.1.1 255.255.255.0
Interface Vlan 3
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
Ethernet 0/1
switchport access vlan 3
no shut
Ethernet 0/2
switchport access vlan 2
no shut
since the ASA firewall works its way from high-sec to low-sec. Do I really have to create an access-list with a static translation slot to allow remote desktop connection from Inside with sec-level of 100 to the dmz1 with sec-level of 20?
If I do have to create an access-list for it could you please guide me through the proper syntax to achieve it.
16 years 2 months ago #27410
by sys-halt
Replied by sys-halt on topic Re: RDP through ASA 5505 from Inside-to-DMZ
hey everyone,
sorry my problem was not in the rdp traffic. my ASA dropped my packets from 172.16.1.0 to 192.168.1.0 from the inside to dmz1 because there was no NAT made and no global pool created.
those was the lines that made the connection happens properly:
nat (inside) 2 0.0.0.0 0.0.0.0 norandomseq
globale (dmz1) 2 interface
once I put these two commands things worked fine and I am now able to rdp from my inside to my dmz1.
thanks all
sorry my problem was not in the rdp traffic. my ASA dropped my packets from 172.16.1.0 to 192.168.1.0 from the inside to dmz1 because there was no NAT made and no global pool created.
those was the lines that made the connection happens properly:
nat (inside) 2 0.0.0.0 0.0.0.0 norandomseq
globale (dmz1) 2 interface
once I put these two commands things worked fine and I am now able to rdp from my inside to my dmz1.
thanks all
Time to create page: 0.113 seconds