Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Inside to DMZ communication

Inside to DMZ communication 9 years 7 months ago #21553

  • skepticals
  • skepticals's Avatar
  • Offline
  • Expert Member
  • Posts: 783
  • Karma: 0
I wanted to clarify a few things.

I am attempting to allow remote desktop (port 3389) to a computer in the DMZ. I want to limit access from the inside network only. I attempted to make a rule using the ASDM on an ASA 5510 with no luck.

Inside: 10.3.x.x
DMZ: 172.16.x.x
Host: 172.16.x.3

Should I only have to allow traffic from the Inside interface to the host 172.16.x.3 on port 3389?

How is traffic handles between interfaces? If I am on a host in the Inside network: 10.3.4.10 and want to access the host in the DMZ, what is the best approach.

I tried configuring it several ways. I applied the rule to the DMZ interface inbound and allowed port 3389 to host 172.16.x.3. Is this the correct approach?

Thanks.
The administrator has disabled public write access.

Re: Inside to DMZ communication 9 years 7 months ago #21554

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
I would apply this to the inside interface. The DMZ interface should be used to permit allowable traffic from the DMZ Network. Remember, its a stateful firewall so for traffic allowed from the Inside network to the DMZ server on port 3389, return traffic will automatically be allowed back through the DMZ interface.

The rule should be something like;

access-list permit-inside extended permit tcp host 10.3.4.10 host 172.16.x.3 eq 3389

Cheers

Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Inside to DMZ communication 9 years 7 months ago #21556

  • skepticals
  • skepticals's Avatar
  • Offline
  • Expert Member
  • Posts: 783
  • Karma: 0
If I understand you correctly, you would apply this to the inside interface in the outgoing direction? And, have the rule allow traffic from the inside network to the host on the DMZ.

I guess I should always apply my rules to the closest interface?
The administrator has disabled public write access.

Re: Inside to DMZ communication 9 years 7 months ago #21557

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
I always do it for In directions, it saves the traffic getting into the firewall. I have never really used OUT for anything since if the IN traffic is configured correctly on all interfaces then configuring out access-lists aswell just complicates debugging (in my opinion) :)
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Inside to DMZ communication 9 years 7 months ago #21558

  • skepticals
  • skepticals's Avatar
  • Offline
  • Expert Member
  • Posts: 783
  • Karma: 0
Now, I am confused.

If I apply the rule inward on the inside interface, is the traffic already allowed from the inside interface to the host on the DMZ? (Possibly because of the 50 VS 100 security levels)

With that said, if I do not apply a rule at all, the 3389 traffic is already allowed out the inside interface and in the DMZ interface, it just can't return? But, I didn't think this makes sense because it is a stateful firewall; so if the traffic is already allowed out, it should be allowed in.

Apparently my mind is not working right now. Can you clear this up?
The administrator has disabled public write access.

Re: Inside to DMZ communication 9 years 7 months ago #21590

  • anti-hack
  • anti-hack's Avatar
  • Offline
  • Frequent Member
  • Posts: 38
  • Karma: 0
Hi,

the way i have done it before is,

First there has to be a translation from the inside network to the DMZ.

Secondly, by default the inside interface is on a higher security level then the DMZ, if there is no access-list on the Inside interface then nothing else needs to be done, you can access RDP directly. If there is an access-list on the Inside interface then you need to allow the host to the particular machine on the DMZ.

something like;

static (inside, dmz) 10.3.x.x 10.3.x.x netmask 255.255.255.255 0 0

this should work;

please update
The administrator has disabled public write access.
Time to create page: 0.089 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup