Pix 515E Remote VPN's Cannot Access DMZ

Answered Question
Apr 6th, 2007

I have a 3 interface Pix 515E at our core site (inside, outside, DMZ). We have 4 remote sites that connect to our main office via VPN tunnels terminating on the pix. Currently the remote sites cannot access the DMZ. The tunnels are functioning perfectly in all aspects except for DMZ access. Any ideas?

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 9 months ago

You are missing nat exemption from your dmz to remote networks. ADD the following...

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Madison 255.255.255.0

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Appleton 255.255.255.0

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Racine 255.255.255.0

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 CCNHEIL 255.255.255.0

nat (DMZ) 0 access-list DMZ_outbound_nat0_acl

You can REMOVE the following statements from your inside nat exemption.

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Madison 255.255.255.0

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Appleton 255.255.255.0

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Racine 255.255.255.0

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 CCNHEIL 255.255.255.0

Please rate if it helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Fri, 04/06/2007 - 11:32

Without the config, I can only guess...Nat exemption from dmz subnet to vpn client subnet probably.

Correct Answer
acomiskey Fri, 04/06/2007 - 13:55

You are missing nat exemption from your dmz to remote networks. ADD the following...

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Madison 255.255.255.0

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Appleton 255.255.255.0

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Racine 255.255.255.0

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 CCNHEIL 255.255.255.0

nat (DMZ) 0 access-list DMZ_outbound_nat0_acl

You can REMOVE the following statements from your inside nat exemption.

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Madison 255.255.255.0

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Appleton 255.255.255.0

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Racine 255.255.255.0

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 CCNHEIL 255.255.255.0

Please rate if it helps.

Actions

This Discussion