11-22-2005 01:04 AM - edited 02-21-2020 02:07 PM
Hello,
I Currently have a pix 515 running l2l VPN with a pix 501 and ra VPN with cisco vpn-clients.
Is there a way to let clients on the l2l and the ra vpn sites access a server on the DMZ on the pix515 ?
preferrably by a static NAT, so the ip-address of the DMZ host stays the same
11-22-2005 04:19 AM
the dmz subnet needs to be included as part of the no-nat and crypto acls.
with the current pix515 config:
access-list no_nat permit ip
access-list no_nat permit ip
access-list l2lvpn permit ip
access-list re_vpn permit ip
now, a new no-nat acl needs to be configured for pix515 dmz interface:
access-list no_nat_dmz permit ip
access-list no_nat_dmz permit ip
access-list l2lvpn permit ip
access-list re_vpn permit ip
nat (dmz) 0 access-list no_nat_dmz
for pix501:
access-list no_nat permit ip
access-list no_nat permit ip
access-list l2lvpn permit ip
access-list l2lvpn permit ip
11-22-2005 04:57 AM
Hello jackko
Thanks for your response...
I have tried the changes in the access-lists, but it still seems the other side of the vpn doesn't seem to know where the 10.x.x.x segment is located.
I Can't create a static route, since cisco doesn't create a VPN interface (like Linux)
here i post the relevant config of the pix 515, maybe you can see what goes wrong here ?
interface Ethernet0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.252 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 10.0.0.254 255.0.0.0
!
access-list outside_inbound extended permit tcp any interface outside eq https
access-list outside_inbound extended permit tcp any interface outside eq imap4
access-list outside_inbound extended permit tcp any interface outside eq smtp
access-list outside_inbound extended permit icmp any any
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list splittunnel standard permit 192.168.2.0 255.255.255.0
access-list splittunnel standard permit 192.168.0.0 255.255.255.0
access-list dmz_access_in extended permit ip host 10.0.0.1 host 192.168.2.5
access-list dmz_access_in extended permit ip host 10.0.0.1 host 192.168.2.1
access-list nonat_dmz extended permit ip 10.0.0.0 255.0.0.0 192.168.3.0 255.255.255.0
access-list nonat_dmz extended permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0
ip local pool vpnpool 192.168.3.1-192.168.3.50
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.2.0 255.255.255.0
nat (dmz) 0 access-list nonat_dmz
nat (dmz) 1 10.0.0.0 255.255.255.0
static (inside,outside) tcp interface imap4 192.168.2.1 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.2.1 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.2.1 https netmask 255.255.255.255
static (dmz,outside) tcp x.x.x.x https 10.0.0.1 https netmask 255.255.255.255
static (dmz,outside) tcp x.x.x.x www 10.0.0.1 www netmask 255.255.255.255
static (dmz,inside) 10.0.0.1 10.0.0.1 netmask 255.255.255.255
static (inside,dmz) 192.168.2.5 192.168.2.5 netmask 255.255.255.255
static (inside,dmz) 192.168.2.3 192.168.2.3 netmask 255.255.255.255
static (inside,dmz) 192.168.2.1 192.168.2.1 netmask 255.255.255.255
access-group outside_inbound in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
group-policy clientgroup internal
group-policy clientgroup attributes
wins-server value 192.168.2.3 192.168.2.5
dns-server value 192.168.2.3 192.168.2.5
vpn-idle-timeout 20
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value **.**
sysopt noproxyarp inside
sysopt noproxyarp dmz
11-22-2005 05:06 AM
just a quick comment.
access-list splittunnel standard permit 192.168.2.0 255.255.255.0
access-list splittunnel standard permit 192.168.0.0 255.255.255.0
dmz subnet 10.0.0.0 seems missing.
11-22-2005 05:14 AM
sorry, was an old config, i allready added
access-list splittunnel standard permit 10.0.0.0 255.0.0.0
Only "black area" to me is how to do a static translation from the dmz to the vpn tunnels.
On the inside this is done by a "static" command, but how is this done on a vpn tunnel ?
or is the traffic just routed to the tunnel instead of a translation ?
( i was tought a pix ALWAYS does translation when crossing interfaces )
11-22-2005 03:22 PM
nat (inside) 0 access-list nonat
nat (dmz) 0 access-list nonat_dmz
these two statements are used to disable nat for vpn traffic.
11-22-2005 11:34 PM
These lines are already there...
still no luck.
What is the thing i'm missing?
Man this is frustrating!!! :-)
11-25-2005 01:58 AM
You mentioned that you cant route 10.x.x.x into a VPN cos there is no VPN interface created....I think I understand what you need. Altough, there is no seperate VPN interface, you can just route the traffic towards the interface where the ipsec tunnel is terminated. For ex....If your 501 has a route 0.0.0.0 0.0.0.0 to x.x.x.x, just add 10.x.x.x also towards the same gateway. The pix will know that 10.x.x.x is on the outside and while/before going there, the interesting acl capture the packets and encrypts them. I have some tunnels working like that.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: