Cisco PIX 515e - VPN

Unanswered Question
Jan 20th, 2009

Hello,

We have configured vpn remote access on Cisco PIX 515e for all users to dial in to our internal network servers.

When i connect through vpn, i can access all my servers in the DMZ zone. But i cannot access any server in my Internal Network.

Can you please guide, if there is any rule required to allow this or so ?

Thanks in advance.

Kalpesh

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pstebner10 Wed, 01/21/2009 - 07:49

Kalpesh-

Let's say that the DMZ is 10.0.0.0 /24 and your Inside network is 192.168.1.0 /24. Lastly, the DHCP scope for your VPN clients is 192.168.100.0 /24.

You would need to have two NAT statements in order for the VPN users to reach both networks:

nat(dmz) 0 access-list DMZNONAT

nat (inside) 0 access-list INSIDENONAT

(or whatever you want to call the ACLs)

Then, setup your access-lists:

access-list INSIDENONAT extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list DMZNONAT extended permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0

If you are using split-tunneling you will need to add a line to the split-tunnel ACL for your inside network as well:

access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0

That should do it.

HTH,

Paul

Actions

This Discussion