VPN client cannot access server on DMZ

Answered Question
Mar 6th, 2007
User Badges:


I have the following problem.I have created a new VPN user on Cisco ACS and allowed him access through downloadable ACL to a server in our inside network and server on the DMZ network.He can ping and access server in our inside network but cannot ping or access the server in DMZ.

Here is the configuration.

On the PIX:

access-list DMZ-NONAT permit ip

ip local pool Users2

nat (DMZ) 0 access-list DMZ-NONAT

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host xxxx timeout 20

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host xxxx timeout 20

aaa-server LOCAL protocol local

aaa-server AuthInbound protocol radius

aaa accounting match 151 outside RADIUS

aaa accounting match 150 outside TACACS+

vpngroup myVpnGroup address-pool Users2

vpngroup myVpnGroup dns-server

vpngroup myVpnGroup split-tunnel nat0_2

vpngroup myVpnGroup idle-time 1800

vpngroup myVpnGroup max-time 86400

Cisco ACS ACL:

permit ip any host - server on the inside network

permit ip any host - server on the DMZ network

permit icmp any host

permit icmp any host

deny ip any any

Any advice?

Correct Answer by kaachary about 10 years 2 months ago

Do you have any Access group applied on the DMZ interface ?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
kaachary Tue, 03/06/2007 - 13:24
User Badges:
  • Cisco Employee,

Do you have the subnet in the split tunnel ACL ?



IgorHamzic Tue, 03/06/2007 - 13:33
User Badges:

Part of the nat0_2 ACL:

access-list nat0_2 permit ip

I'm rather new to the PIX configuration so any advice will be useful.

Correct Answer
kaachary Tue, 03/06/2007 - 13:53
User Badges:
  • Cisco Employee,

Do you have any Access group applied on the DMZ interface ?


IgorHamzic Tue, 03/06/2007 - 14:21
User Badges:

Found this in the DMZ ACL:

access-list DMZ_access_in6 deny icmp

That explains why there isn't any ping and that I'll have to read even more carefully the large PIX ACL configuration I inherited.Thanks for the direction.

Anything in there you see that could cause any other problem?

BTW I'll add 2 more lines to downloadable ACL that will permit user to access the servers using remote desktop.

kaachary Wed, 03/07/2007 - 02:28
User Badges:
  • Cisco Employee,


If the ACL's are in place, I guess you are good to go.

*Please rate if the post helped.


IgorHamzic Thu, 03/08/2007 - 04:19
User Badges:

Everything works fine now.I added extra lines in the ACS ACL and didn't have any additional problems.

Thanks for your help Kanishka.


This Discussion