ScreenOS Firewalls (NOT SRX)
Reply
Contributor
dave_phillips
Posts: 21
Registered: ‎07-01-2009
0
Accepted Solution

RDP Policy Trust to DMZ not working

Hello, I have a DMZ setup and am having problems getting RDP traffic working the way I would like.

 

Both my trust and DMZ interface are routed so there is not NAT involved.

 

I my policies as shown below

 

ID From To Src-address Dst-address Service Action State ASTLCB
4 Trust DMZ Internal LAN DMZ RDP-Out Permit enabled ---X-X
5 DMZ Trust DMZ Internal LAN RDP-in Permit enabled ---X-X
No global policy!Default deny, Software based policy search, new policy enabled.

 

And the services are

 

set service "RDP-Out" protocol tcp src-port 1024-65535 dst-port 3889-3889
set service "RDP-in" protocol tcp src-port 3389-3389 dst-port 0-65535

 

I cant get it to work.  I did a debug flow basic and saw it is denying traffic from the Trust to the DMZ.  

 

If I change the service on the Trust to DMZ policy to "any" it works

 

What am I missing?

 

Here is part of the debug

 

****** 11659424.0: <Trust/ethernet0/1> packet received [52]******
ipid = 32173(7dad), @03972530
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/1:172.18.4.77/60135->10.0.0.1/3389,6<Root>
no session found
flow_first_sanity_check: in <ethernet0/1>, out <N/A>
chose interface ethernet0/1 as incoming nat if.
flow_first_routing: in <ethernet0/1>, out <N/A>
search route to (ethernet0/1, 172.18.4.77->10.0.0.1) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 18.route 10.0.0.1->10.0.0.1, to ethernet0/2
routed (x_dst_ip 10.0.0.1) from ethernet0/1 (ethernet0/1 in 0) to ethernet0/2
policy search from zone 2-> zone 3
policy_flow_search policy search nat_crt from zone 2-> zone 3
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.0.0.1, port 3389, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
Searching global policy.
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
policy id (320000)
packet dropped, denied by policy
Policy id deny policy, ipv6 0, flow_potential_violation 0

 

Super Contributor
lanman
Posts: 68
Registered: ‎11-27-2010
0

Re: RDP Policy Trust to DMZ not working

You misconfigured the destination port in the RDP-OUT service. Port number should be 3389 for remote desktop. The policy from DMZ to trust with service RDP-IN isnt necessary. Return traffic is permitted by the policy from trust to DMZ.
Contributor
dave_phillips
Posts: 21
Registered: ‎07-01-2009
0

Re: RDP Policy Trust to DMZ not working

Well I feel stupid :smileyembarrassed:

 

Thanks for being another pair of eyes.  Its working now

Super Contributor
lanman
Posts: 68
Registered: ‎11-27-2010
0

Re: RDP Policy Trust to DMZ not working

You're welcome! It has happened to me... :smileywink:

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.