Hello, I have a DMZ setup and am having problems getting RDP traffic working the way I would like.
Both my trust and DMZ interface are routed so there is not NAT involved.
I my policies as shown below
ID From To Src-address Dst-address Service Action State ASTLCB
4 Trust DMZ Internal LAN DMZ RDP-Out Permit enabled ---X-X
5 DMZ Trust DMZ Internal LAN RDP-in Permit enabled ---X-X
No global policy!Default deny, Software based policy search, new policy enabled.
And the services are
set service "RDP-Out" protocol tcp src-port 1024-65535 dst-port 3889-3889
set service "RDP-in" protocol tcp src-port 3389-3389 dst-port 0-65535
I cant get it to work. I did a debug flow basic and saw it is denying traffic from the Trust to the DMZ.
If I change the service on the Trust to DMZ policy to "any" it works
What am I missing?
Here is part of the debug
****** 11659424.0: <Trust/ethernet0/1> packet received [52]******
ipid = 32173(7dad), @03972530
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/1:172.18.4.77/60135->10.0.0.1/3389,6<Root>
no session found
flow_first_sanity_check: in <ethernet0/1>, out <N/A>
chose interface ethernet0/1 as incoming nat if.
flow_first_routing: in <ethernet0/1>, out <N/A>
search route to (ethernet0/1, 172.18.4.77->10.0.0.1) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 18.route 10.0.0.1->10.0.0.1, to ethernet0/2
routed (x_dst_ip 10.0.0.1) from ethernet0/1 (ethernet0/1 in 0) to ethernet0/2
policy search from zone 2-> zone 3
policy_flow_search policy search nat_crt from zone 2-> zone 3
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.0.0.1, port 3389, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
Searching global policy.
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
policy id (320000)
packet dropped, denied by policy
Policy id deny policy, ipv6 0, flow_potential_violation 0