Hi,

I'm trying to work out which rules to add to my firewall to allow RDP (port 3389) access from the Security Server, which is in the DMZ, to the VMs on the main LAN. I have a fairly typical setup of...

Internet ---> outer firewall ---> DMZ (192.168.10.x) ---> inner firewall ---> LAN (192.168.0.x)

I am able to connect to the Security Server (SS) in the DMZ with the VDM client and get all the way through the process (logging in and choosing a desktop) until it tries to connect me to the VM by RDP. I can see that there is a RDP connection trying to get from the SS to the VM on my LAN but the inner firewall is currently blocking it.

The inner firewall is a Cisco PIX 506e. Any traffic that I currently want to allow through it, e.g. SMTP for email, gets given an alias IP address in the DMZ's 192.168.10.x range which then goes through the firewall and gets translated into a 192.168.0.x for the actual computer on the LAN. (This is how the SS communicates with the VDM server on the LAN as well.) This means that the DMZ servers don't actually know anything about the LAN address range. Of course, this is not possible for VDM as the SS wants to find the VM using its real IP address rather than going via aliases.

As the default gateway for the DMZ is the outer firewall, I have put a static route on the SS to make sure it knows to go to the inner firewall for LAN addresses but I now have to try to add the appropriate rule to the inner firewall. Does anyone else out there have a similar setup and would be able to suggest how the rule should be added or whether my network infrastructure should be different?

Many thanks,

Sam