cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
737
Views
0
Helpful
9
Replies

DMZ access from VPN client

boshardy1
Level 1
Level 1

I am trying to get allow access from a Cisco VPN client into our DMZ (consultant needs to be able to remote in). I thought I had the config right but its still not working. Here is the pertinent config from my pix: The vpn segment is 192.168.9.X

access-list DMZ_access_in extended permit ip host 172.28.2.196 host 172.17.0.17

access-list DMZ_access_in extended permit ip host 172.28.2.196 host 172.17.0.16

access-list DMZ_access_in extended permit icmp host 172.28.2.196 Ethernet 255.255.0.0

access-list DMZ_access_in extended permit icmp host 172.28.2.196 192.168.9.0

access-list DMZ_access_in deny ip any 172.17.0.0 255.255.0.0

access-list DMZ_access_in permit ip host 172.28.2.196 192.168.9.0 255.255.255.0

static (inside,DMZ) 192.168.9.0 192.168.9.0 netmask 255.255.255.0

static (inside,DMZ) Ethernet Ethernet netmask 255.255.0.0

nat (DMZ) 1 0 0

global (outside) 1 interface

static (DMZ,outside) tcp 12.XX.44.237 ftp 172.28.2.195 ftp netmask 255.255.255.255

static (DMZ,outside) tcp 12.XX.44.237 www 172.28.2.196 www netmask 255.255.255.255

static (DMZ,outside) tcp 12.XX.44.237 https 172.28.2.196 https netmask 255.255.255.255

9 Replies 9

5220
Level 4
Level 4

If you want the VPN users to connect to DMZ you need to allow access on the inside interface, i.e.:

access-list inside_access_in permit ip 192.168.9.0 255.255.255.0 host 172.28.2.196

Everything else seems to be fine.

Please rate if this helped.

Regards,

Daniel

Fernando_Meza
Level 7
Level 7

Hi .. I think you are a bit confused here :-) ..

Basically the only thing you need to make sure is that the interesting traffic for IPsec also allows access to the DMZ segment. Traffic to and from the DMZ towards the VPN segment needs to bypass NAT so that they can see each other with its real IP addresses.

If you post your config .. without passwords .. You should be able to get help right away ..

I hope it helps .. please rate it if it does !!

boshardy1
Level 1
Level 1

Here is config

Fernando is right. I looked at the config and there is no acl present that will bypass nat from vpn-pool to dmz-network. It should be in this acl.

access-list inside_nat0_outbound extended permit ip any 192.168.9.100 255.255.255.252

access-list inside_nat0_outbound extended permit ip object-group Vision_VPN_Servers_Allowed 192.168.9.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip host 12.34.44.227 host GE_FTPServer

access-list inside_nat0_outbound extended permit ip host 12.34.44.227 object-group Schneider_FTP_Servers

access-list inside_nat0_outbound extended permit ip Ethernet 255.255.0.0 192.168.9.0 255.255.255.0

I thought my static (inside,DMZ) 192.168.9.0 192.168.9.0 netmask 255.255.255.0 was doing the same thing?

That is not defined what should not be encrypted. Your acl for your encryption domain must specify the interesting networks being accessed. In your case your dmz network. That static is will never process if your encryption domain is not specified correctly.

I thought my static (inside,DMZ) 192.168.9.0 192.168.9.0 netmask 255.255.255.0 was doing the same thing?

access-list inside_nat0_outbound extended permit ip 192.168.9.0 255.255.255.128

That is not defining what should be encrypted or not. Your acl for your encryption domain must specify the interesting networks being accessed. In your case your dmz network. That static will never process if your encryption domain is not specified correctly.

hi .. The VPN tunnel terminates at the outside interface and so that is the interface that the packets are to be routed to when coming back fromn the DMZ ... The IPsec interestesting traffic is OK as it includes all traffic to 192.168.9.0/24 and so I suggest adding a nat 0

as below

access-list test extended permit ip any 192.168.9.0 255.255.255.0

nat (DMZ) 0 access-list test

Also are you able to access any internal device at all ..?

Are you able to successfully establish the tunnel ..?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: