hello,

you can try this below

create an ACL for DMZ

access-list acl_dmz extended permit _______

access-list DMZ_access_in extended permit icmp any any

icmp permit any DMZ




On Fri, Sep 28, 2012 at 1:14 PM, TheMburu George <themburu@gmail.com> wrote:
Hey 

Seems you havent allowed rdp services I guess port 3889.

Rgds
./TheMburu

On Thu, Sep 27, 2012 at 6:13 PM, Joe Maina <maina307@gmail.com> wrote:
Hi All

Am setting up DMZ and I want th LAN to access DMZ using RDP. So far I can`t ping dmz from lan
and can`t access the Server on DMZ from LAN
kindly tell me what am missing below are the configs



hostname Ukuta

domain-name ic.com

enable password lJVPuxPhcYrtQ9qcK encrypted

passwd lJVPuxPhcYRQghn9cK encrypted

names

name 10.2.0.9 evault-srv

name 10.2.0.18 voip-gateway

name 10.2.0.16 citrix-srv

dns-guard

!

interface Ethernet0/0

 description outside

 nameif outside

 security-level 0

 ip address 195.202.81.170 255.255.255.248

!

interface Ethernet0/1

 description inside

 nameif inside

 security-level 100

 ip address 10.2.0.11 255.255.0.0

!

interface Ethernet0/2

 description DMZ Zone

 nameif DMZ

 security-level 50

 ip address 192.168.10.254 255.255.255.0

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 description management interface

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

!

banner login Warning: unauthorized access is prohibited and punishable to the full extent of the law.

boot system disk0:/asa821-k8.bin

boot system disk0:/asa803-k8.bin

boot system disk0:/asa724-k8_1.bin

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

 name-server 195.202.64.1

 name-server 195.202.64.2

 domain-name ic.com

object-group service WEB-SERVICES tcp

 port-object eq https

 port-object eq www

 port-object eq 8080

 port-object eq 1026

 port-object eq domain

object-group service MAIL-SERVICES tcp

 description MAIL-SERVER *10.2.0.87*

 port-object eq 993

 port-object eq 465

 port-object eq imap4

 port-object eq smtp

 port-object eq pop2

 port-object eq https

 port-object eq pop3

object-group service EVAULT-SERVICES tcp

 description EVAULT-PORTS

 port-object eq 2547

 port-object eq 807

 port-object eq 808

 port-object eq 12547

 port-object eq 2546

object-group network DirectIntNAT

 description IPs that can access Internet directly

 network-object 192.168.1.0 255.255.255.0

 network-object host 10.2.0.149

 network-object host 10.2.0.12

 network-object host 10.2.0.4

 network-object host 10.2.0.55

 network-object host 10.2.0.87

 network-object host 10.2.0.89

 network-object host 10.2.0.97

 network-object host 10.2.0.98

 network-object host evault-srv

 network-object host 10.2.0.53

 network-object host 10.2.0.88

 network-object host 10.2.0.79

 network-object host 10.2.0.77

 network-object host 10.2.0.106

 network-object host 10.2.0.81

 network-object host 10.2.0.227

 network-object host 10.2.0.10

 network-object host 10.2.0.8

 network-object host 10.2.0.29

 network-object host 10.2.4.95

 network-object host 10.2.0.73

 network-object host 10.2.0.72

 network-object host 10.2.0.51

 network-object host 10.2.0.58

 network-object host 10.2.4.96

 network-object host 10.2.0.99

 network-object host 10.2.0.30

 network-object host 10.2.0.71

 network-object host 10.2.0.46

 network-object host 10.2.0.41

object-group service DM_INLINE_SERVICE_1

object-group service ActiveSync990 tcp

 description Port 990 for Active Sync

 port-object eq 990

 port-object eq 5678

 port-object eq 5721

 port-object eq 587

 port-object eq 993

 port-object eq 999

access-list IPS extended permit ip any any

access-list outside_access_in extended permit tcp any any object-group WEB-SERVICES

access-list outside_access_in extended permit tcp any interface outside object-group MAIL-SERVICES log

access-list outside_access_in extended permit tcp any host evault-srv object-group EVAULT-SERVICES log

access-list outside_access_in extended permit tcp any interface outside eq citrix-ica

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit icmp any any source-quench

access-list outside_access_in extended permit tcp any any object-group MAIL-SERVICES log

access-list outside_access_in extended permit tcp any any object-group ActiveSync990

access-list outside_access_in remark implicit deny all

access-list outside_access_in extended deny ip any any

access-list inside_nat0_outbound extended permit ip 10.2.0.0 255.255.0.0 10.2.5.0 255.255.255.224

access-list inside_nat0_outbound extended permit ip any 10.2.5.0 255.255.255.224

access-list inside_nat0_outbound extended permit ip 10.2.5.0 255.255.255.0 10.2.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip any 10.2.0.240 255.255.255.240

access-list inside_nat0_outbound extended permit ip any 10.2.5.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip 10.2.0.0 255.255.0.0 10.2.5.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 10.2.4.0 255.255.255.224

access-list inside_nat0_outbound extended permit ip 10.2.0.0 255.255.0.0 10.2.0.216 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 10.2.0.216 255.255.255.248

access-list ICEAVPNRA_splitTunnelAcl standard permit any

access-list ICEA_splitTunnelAcl standard permit any

access-list LocalLANAccess standard permit 10.2.0.0 255.255.0.0

access-list ICEARA_splitTunnelAcl standard permit any

access-list inside_nat_outbound extended permit ip object-group DirectIntNAT any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

ip local pool vpn_ips 10.2.0.216-10.2.0.220 mask 255.255.0.0

ip local pool vpn_ips2 10.2.5.1-10.2.5.50 mask 255.255.0.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 access-list inside_nat_outbound

nat (inside) 101 10.2.0.12 255.255.255.255

nat (inside) 101 10.2.0.89 255.255.255.255

nat (inside) 101 10.2.0.149 255.255.255.255

static (outside,inside) tcp 10.2.0.10 5679 195.202.81.170 5679 netmask 255.255.255.255

static (outside,outside) tcp 10.2.0.153 7001 10.2.0.153 7001 netmask 255.255.255.255

static (inside,outside) tcp interface citrix-ica 10.2.0.87 citrix-ica netmask 255.255.255.255

static (inside,outside) tcp interface 465 10.2.0.46 465 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 10.2.0.46 smtp netmask 255.255.255.255

static (inside,outside) tcp interface imap4 10.2.0.46 imap4 netmask 255.255.255.255

static (inside,outside) tcp interface pop3 10.2.0.46 pop3 netmask 255.255.255.255

static (inside,outside) tcp interface https 10.2.0.46 https netmask 255.255.255.255

static (inside,outside) tcp interface 990 10.2.0.46 990 netmask 255.255.255.255

static (inside,outside) tcp interface 999 10.2.0.46 999 netmask 255.255.255.255

static (inside,outside) tcp interface 5678 10.2.0.46 5678 netmask 255.255.255.255

static (inside,outside) tcp interface 5721 10.2.0.46 5721 netmask 255.255.255.255

static (inside,outside) tcp interface 26675 10.2.0.46 26675 netmask 255.255.255.255

static (inside,outside) tcp interface 993 10.2.0.46 993 netmask 255.255.255.255

static (inside,outside) tcp interface 587 10.2.0.46 587 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 195.202.81.174 1

route inside 10.21.0.0 255.255.224.0 10.2.0.27 1

route inside 172.22.254.0 255.255.255.224 10.2.0.25 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.2.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp policy 10

 authentication pre-share

 encryption aes

 hash md5

 group 2

 lifetime 86400

telnet 10.2.0.0 255.255.255.0 inside

telnet timeout 5

ssh 10.2.0.82 255.255.255.255 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1 rc4-md5

webvpn

group-policy ICEARA internal

group-policy ICEARA attributes

 dns-server value 10.2.0.89 10.2.0.98

 default-domain value icea.com

username vwainaina password B.CA3.rL63N4U.O4 encrypted

username vwainaina attributes

 vpn-group-policy ICEARA

username test1 password C7gQOMTxCEoaINky encrypted

username test password P4ttSyrm33SV8TYp encrypted

username test attributes

 vpn-group-policy ICEARA

 vpn-access-hours none

 vpn-simultaneous-logins 1

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

 group-lock value ICEARA

username imutua password jnIz5/2R3pqxmnl6 encrypted

username imutua attributes

 vpn-group-policy DfltGrpPolicy

username awaburi password GXHxEu03DxJOSMJ1 encrypted

username tmasudi password ePlX/AjfmvUU6Fsu encrypted privilege 15

username tmasudi attributes

 vpn-group-policy ICEARA

username iceadmin password TiUC4sIBt7uF.xnb encrypted

username iceaadmin password TiUC4sIBt7uF.xnb encrypted privilege 15

username soluoch password WVNRbJ8S3.GQc9fV encrypted

username soluoch attributes

 vpn-group-policy DfltGrpPolicy

username smbugua password pRJuRFSbQ/1ek8K8 encrypted privilege 15

username smbugua attributes

 vpn-group-policy ICEARA

 service-type remote-access

username vicky password STOg/nQM6msaWHdq encrypted

username vicky attributes

 vpn-group-policy DfltGrpPolicy

tunnel-group ICEARA type remote-access

tunnel-group ICEARA general-attributes

 address-pool vpn_ips2

 default-group-policy ICEARA

tunnel-group ICEARA ipsec-attributes

 pre-shared-key *

!

class-map ips-class

 match access-list IPS

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map ips-policy

 class ips-class

  ips inline fail-open

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

 class ips-class

  ips inline fail-open

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum 512

!

service-policy global_policy global

smtp-server 10.2.0.87

prompt hostname context

Cryptochecksum:a2e591d6708eaa3461b6f66b4b23d4c6

: end



_______________________________________________
Skunkworks mailing list
Skunkworks@lists.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------

Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke



--
Conservatism is the adherence to the old tried against the new untried.

_______________________________________________
Skunkworks mailing list
Skunkworks@lists.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------

Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke