VPN client cannot access server on DMZ

Answered Question
Mar 6th, 2007


I have the following problem.I have created a new VPN user on Cisco ACS and allowed him access through downloadable ACL to a server in our inside network and server on the DMZ network.He can ping and access server in our inside network but cannot ping or access the server in DMZ.

Here is the configuration.

On the PIX:

access-list DMZ-NONAT permit ip

ip local pool Users2

nat (DMZ) 0 access-list DMZ-NONAT

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host xxxx timeout 20

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host xxxx timeout 20

aaa-server LOCAL protocol local

aaa-server AuthInbound protocol radius

aaa accounting match 151 outside RADIUS

aaa accounting match 150 outside TACACS+

vpngroup myVpnGroup address-pool Users2

vpngroup myVpnGroup dns-server

vpngroup myVpnGroup split-tunnel nat0_2

vpngroup myVpnGroup idle-time 1800

vpngroup myVpnGroup max-time 86400

Cisco ACS ACL:

permit ip any host - server on the inside network

permit ip any host - server on the DMZ network

permit icmp any host

permit icmp any host

deny ip any any

Any advice?

I have this problem too.
0 votes
Correct Answer by kaachary about 9 years 10 months ago

Do you have any Access group applied on the DMZ interface ?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
kaachary Tue, 03/06/2007 - 13:24

Do you have the subnet in the split tunnel ACL ?



IgorHamzic Tue, 03/06/2007 - 13:33

Part of the nat0_2 ACL:

access-list nat0_2 permit ip

I'm rather new to the PIX configuration so any advice will be useful.

Correct Answer
kaachary Tue, 03/06/2007 - 13:53

Do you have any Access group applied on the DMZ interface ?


IgorHamzic Tue, 03/06/2007 - 14:21

Found this in the DMZ ACL:

access-list DMZ_access_in6 deny icmp

That explains why there isn't any ping and that I'll have to read even more carefully the large PIX ACL configuration I inherited.Thanks for the direction.

Anything in there you see that could cause any other problem?

BTW I'll add 2 more lines to downloadable ACL that will permit user to access the servers using remote desktop.

kaachary Wed, 03/07/2007 - 02:28


If the ACL's are in place, I guess you are good to go.

*Please rate if the post helped.


IgorHamzic Thu, 03/08/2007 - 04:19

Everything works fine now.I added extra lines in the ACS ACL and didn't have any additional problems.

Thanks for your help Kanishka.


This Discussion