cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
795
Views
5
Helpful
6
Replies

VPN client cannot access server on DMZ

IgorHamzic
Level 1
Level 1

Hi.

I have the following problem.I have created a new VPN user on Cisco ACS and allowed him access through downloadable ACL to a server in our inside network and server on the DMZ network.He can ping and access server in our inside network but cannot ping or access the server in DMZ.

Here is the configuration.

On the PIX:

access-list DMZ-NONAT permit ip 192.168.254.0 255.255.255.0 192.168.252.128 255.255.255.128

ip local pool Users2 192.168.252.193-192.168.252.222

nat (DMZ) 0 access-list DMZ-NONAT

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 10.64.8.20 xxxx timeout 20

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 10.64.8.20 xxxx timeout 20

aaa-server LOCAL protocol local

aaa-server AuthInbound protocol radius

aaa accounting match 151 outside RADIUS

aaa accounting match 150 outside TACACS+

vpngroup myVpnGroup address-pool Users2

vpngroup myVpnGroup dns-server 10.64.8.20

vpngroup myVpnGroup split-tunnel nat0_2

vpngroup myVpnGroup idle-time 1800

vpngroup myVpnGroup max-time 86400

Cisco ACS ACL:

permit ip any host 10.64.8.166 - server on the inside network

permit ip any host 192.168.254.166 - server on the DMZ network

permit icmp any host 10.64.8.166

permit icmp any host 192.168.254.166

deny ip any any

Any advice?

1 Accepted Solution

Accepted Solutions

Do you have any Access group applied on the DMZ interface ?

-Kanishka

View solution in original post

6 Replies 6

kaachary
Cisco Employee
Cisco Employee

Do you have the subnet 192.168.254.0 in the split tunnel ACL ?

HTH,

-Kanishka

Part of the nat0_2 ACL:

access-list nat0_2 permit ip 192.168.254.0 255.255.255.0 192.168.252.0 255.255.255.0

I'm rather new to the PIX configuration so any advice will be useful.

Do you have any Access group applied on the DMZ interface ?

-Kanishka

Found this in the DMZ ACL:

access-list DMZ_access_in6 deny icmp 192.168.254.0 255.255.255.0 192.168.252.0 255.255.255.0

That explains why there isn't any ping and that I'll have to read even more carefully the large PIX ACL configuration I inherited.Thanks for the direction.

Anything in there you see that could cause any other problem?

BTW I'll add 2 more lines to downloadable ACL that will permit user to access the servers using remote desktop.

Hi,

If the ACL's are in place, I guess you are good to go.

*Please rate if the post helped.

-Kanishka

Everything works fine now.I added extra lines in the ACS ACL and didn't have any additional problems.

Thanks for your help Kanishka.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: