×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN access to DMZ host

Unanswered Question
Nov 22nd, 2005
User Badges:

Hello,


I Currently have a pix 515 running l2l VPN with a pix 501 and ra VPN with cisco vpn-clients.


Is there a way to let clients on the l2l and the ra vpn sites access a server on the DMZ on the pix515 ?


preferrably by a static NAT, so the ip-address of the DMZ host stays the same


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jackko Tue, 11/22/2005 - 04:19
User Badges:
  • Gold, 750 points or more

the dmz subnet needs to be included as part of the no-nat and crypto acls.


with the current pix515 config:

access-list no_nat permit ip

access-list no_nat permit ip

access-list l2lvpn permit ip

access-list re_vpn permit ip



now, a new no-nat acl needs to be configured for pix515 dmz interface:

access-list no_nat_dmz permit ip

access-list no_nat_dmz permit ip

access-list l2lvpn permit ip

access-list re_vpn permit ip


nat (dmz) 0 access-list no_nat_dmz



for pix501:

access-list no_nat permit ip

access-list no_nat permit ip

access-list l2lvpn permit ip

access-list l2lvpn permit ip

wrusman Tue, 11/22/2005 - 04:57
User Badges:

Hello jackko

Thanks for your response...


I have tried the changes in the access-lists, but it still seems the other side of the vpn doesn't seem to know where the 10.x.x.x segment is located.

I Can't create a static route, since cisco doesn't create a VPN interface (like Linux)


here i post the relevant config of the pix 515, maybe you can see what goes wrong here ?


interface Ethernet0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.2.252 255.255.255.0

!

interface Ethernet2

nameif dmz

security-level 50

ip address 10.0.0.254 255.0.0.0

!


access-list outside_inbound extended permit tcp any interface outside eq https

access-list outside_inbound extended permit tcp any interface outside eq imap4

access-list outside_inbound extended permit tcp any interface outside eq smtp

access-list outside_inbound extended permit icmp any any

access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list splittunnel standard permit 192.168.2.0 255.255.255.0

access-list splittunnel standard permit 192.168.0.0 255.255.255.0


access-list dmz_access_in extended permit ip host 10.0.0.1 host 192.168.2.5

access-list dmz_access_in extended permit ip host 10.0.0.1 host 192.168.2.1

access-list nonat_dmz extended permit ip 10.0.0.0 255.0.0.0 192.168.3.0 255.255.255.0

access-list nonat_dmz extended permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0


ip local pool vpnpool 192.168.3.1-192.168.3.50


global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.2.0 255.255.255.0

nat (dmz) 0 access-list nonat_dmz

nat (dmz) 1 10.0.0.0 255.255.255.0


static (inside,outside) tcp interface imap4 192.168.2.1 imap4 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.2.1 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.2.1 https netmask 255.255.255.255

static (dmz,outside) tcp x.x.x.x https 10.0.0.1 https netmask 255.255.255.255

static (dmz,outside) tcp x.x.x.x www 10.0.0.1 www netmask 255.255.255.255

static (dmz,inside) 10.0.0.1 10.0.0.1 netmask 255.255.255.255

static (inside,dmz) 192.168.2.5 192.168.2.5 netmask 255.255.255.255

static (inside,dmz) 192.168.2.3 192.168.2.3 netmask 255.255.255.255

static (inside,dmz) 192.168.2.1 192.168.2.1 netmask 255.255.255.255

access-group outside_inbound in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1


group-policy clientgroup internal

group-policy clientgroup attributes

wins-server value 192.168.2.3 192.168.2.5

dns-server value 192.168.2.3 192.168.2.5

vpn-idle-timeout 20

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel

default-domain value **.**

sysopt noproxyarp inside

sysopt noproxyarp dmz


jackko Tue, 11/22/2005 - 05:06
User Badges:
  • Gold, 750 points or more

just a quick comment.


access-list splittunnel standard permit 192.168.2.0 255.255.255.0

access-list splittunnel standard permit 192.168.0.0 255.255.255.0


dmz subnet 10.0.0.0 seems missing.

wrusman Tue, 11/22/2005 - 05:14
User Badges:

sorry, was an old config, i allready added


access-list splittunnel standard permit 10.0.0.0 255.0.0.0



Only "black area" to me is how to do a static translation from the dmz to the vpn tunnels.


On the inside this is done by a "static" command, but how is this done on a vpn tunnel ?

or is the traffic just routed to the tunnel instead of a translation ?


( i was tought a pix ALWAYS does translation when crossing interfaces )


jackko Tue, 11/22/2005 - 15:22
User Badges:
  • Gold, 750 points or more

nat (inside) 0 access-list nonat

nat (dmz) 0 access-list nonat_dmz


these two statements are used to disable nat for vpn traffic.

wrusman Tue, 11/22/2005 - 23:34
User Badges:

These lines are already there...


still no luck.


What is the thing i'm missing?

Man this is frustrating!!! :-)



suman.daniel Fri, 11/25/2005 - 01:58
User Badges:

You mentioned that you cant route 10.x.x.x into a VPN cos there is no VPN interface created....I think I understand what you need. Altough, there is no seperate VPN interface, you can just route the traffic towards the interface where the ipsec tunnel is terminated. For ex....If your 501 has a route 0.0.0.0 0.0.0.0 to x.x.x.x, just add 10.x.x.x also towards the same gateway. The pix will know that 10.x.x.x is on the outside and while/before going there, the interesting acl capture the packets and encrypts them. I have some tunnels working like that.

Actions

This Discussion