VPN client cannot access server on DMZ

Answered Question
Mar 6th, 2007
User Badges:

Hi.


I have the following problem.I have created a new VPN user on Cisco ACS and allowed him access through downloadable ACL to a server in our inside network and server on the DMZ network.He can ping and access server in our inside network but cannot ping or access the server in DMZ.


Here is the configuration.


On the PIX:


access-list DMZ-NONAT permit ip 192.168.254.0 255.255.255.0 192.168.252.128 255.255.255.128


ip local pool Users2 192.168.252.193-192.168.252.222


nat (DMZ) 0 access-list DMZ-NONAT


aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 10.64.8.20 xxxx timeout 20

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 10.64.8.20 xxxx timeout 20

aaa-server LOCAL protocol local

aaa-server AuthInbound protocol radius

aaa accounting match 151 outside RADIUS

aaa accounting match 150 outside TACACS+


vpngroup myVpnGroup address-pool Users2

vpngroup myVpnGroup dns-server 10.64.8.20

vpngroup myVpnGroup split-tunnel nat0_2

vpngroup myVpnGroup idle-time 1800

vpngroup myVpnGroup max-time 86400


Cisco ACS ACL:


permit ip any host 10.64.8.166 - server on the inside network

permit ip any host 192.168.254.166 - server on the DMZ network

permit icmp any host 10.64.8.166

permit icmp any host 192.168.254.166

deny ip any any


Any advice?

Correct Answer by kaachary about 10 years 2 months ago

Do you have any Access group applied on the DMZ interface ?


-Kanishka



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
kaachary Tue, 03/06/2007 - 13:24
User Badges:
  • Cisco Employee,

Do you have the subnet 192.168.254.0 in the split tunnel ACL ?


HTH,


-Kanishka

IgorHamzic Tue, 03/06/2007 - 13:33
User Badges:

Part of the nat0_2 ACL:


access-list nat0_2 permit ip 192.168.254.0 255.255.255.0 192.168.252.0 255.255.255.0


I'm rather new to the PIX configuration so any advice will be useful.

Correct Answer
kaachary Tue, 03/06/2007 - 13:53
User Badges:
  • Cisco Employee,

Do you have any Access group applied on the DMZ interface ?


-Kanishka



IgorHamzic Tue, 03/06/2007 - 14:21
User Badges:

Found this in the DMZ ACL:


access-list DMZ_access_in6 deny icmp 192.168.254.0 255.255.255.0 192.168.252.0 255.255.255.0


That explains why there isn't any ping and that I'll have to read even more carefully the large PIX ACL configuration I inherited.Thanks for the direction.


Anything in there you see that could cause any other problem?


BTW I'll add 2 more lines to downloadable ACL that will permit user to access the servers using remote desktop.

kaachary Wed, 03/07/2007 - 02:28
User Badges:
  • Cisco Employee,

Hi,


If the ACL's are in place, I guess you are good to go.


*Please rate if the post helped.


-Kanishka

IgorHamzic Thu, 03/08/2007 - 04:19
User Badges:

Everything works fine now.I added extra lines in the ACS ACL and didn't have any additional problems.


Thanks for your help Kanishka.

Actions

This Discussion