Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ access from VPN client

I am trying to get allow access from a Cisco VPN client into our DMZ (consultant needs to be able to remote in). I thought I had the config right but its still not working. Here is the pertinent config from my pix: The vpn segment is 192.168.9.X

access-list DMZ_access_in extended permit ip host 172.28.2.196 host 172.17.0.17

access-list DMZ_access_in extended permit ip host 172.28.2.196 host 172.17.0.16

access-list DMZ_access_in extended permit icmp host 172.28.2.196 Ethernet 255.255.0.0

access-list DMZ_access_in extended permit icmp host 172.28.2.196 192.168.9.0

access-list DMZ_access_in deny ip any 172.17.0.0 255.255.0.0

access-list DMZ_access_in permit ip host 172.28.2.196 192.168.9.0 255.255.255.0

static (inside,DMZ) 192.168.9.0 192.168.9.0 netmask 255.255.255.0

static (inside,DMZ) Ethernet Ethernet netmask 255.255.0.0

nat (DMZ) 1 0 0

global (outside) 1 interface

static (DMZ,outside) tcp 12.XX.44.237 ftp 172.28.2.195 ftp netmask 255.255.255.255

static (DMZ,outside) tcp 12.XX.44.237 www 172.28.2.196 www netmask 255.255.255.255

static (DMZ,outside) tcp 12.XX.44.237 https 172.28.2.196 https netmask 255.255.255.255

9 REPLIES

Re: DMZ access from VPN client

If you want the VPN users to connect to DMZ you need to allow access on the inside interface, i.e.:

access-list inside_access_in permit ip 192.168.9.0 255.255.255.0 host 172.28.2.196

Everything else seems to be fine.

Please rate if this helped.

Regards,

Daniel

Re: DMZ access from VPN client

Hi .. I think you are a bit confused here :-) ..

Basically the only thing you need to make sure is that the interesting traffic for IPsec also allows access to the DMZ segment. Traffic to and from the DMZ towards the VPN segment needs to bypass NAT so that they can see each other with its real IP addresses.

If you post your config .. without passwords .. You should be able to get help right away ..

I hope it helps .. please rate it if it does !!

New Member

Re: DMZ access from VPN client

Here is config

New Member

Re: DMZ access from VPN client

Fernando is right. I looked at the config and there is no acl present that will bypass nat from vpn-pool to dmz-network. It should be in this acl.

access-list inside_nat0_outbound extended permit ip any 192.168.9.100 255.255.255.252

access-list inside_nat0_outbound extended permit ip object-group Vision_VPN_Servers_Allowed 192.168.9.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip host 12.34.44.227 host GE_FTPServer

access-list inside_nat0_outbound extended permit ip host 12.34.44.227 object-group Schneider_FTP_Servers

access-list inside_nat0_outbound extended permit ip Ethernet 255.255.0.0 192.168.9.0 255.255.255.0

New Member

Re: DMZ access from VPN client

I thought my static (inside,DMZ) 192.168.9.0 192.168.9.0 netmask 255.255.255.0 was doing the same thing?

New Member

Re: DMZ access from VPN client

That is not defined what should not be encrypted. Your acl for your encryption domain must specify the interesting networks being accessed. In your case your dmz network. That static is will never process if your encryption domain is not specified correctly.

New Member

Re: DMZ access from VPN client

I thought my static (inside,DMZ) 192.168.9.0 192.168.9.0 netmask 255.255.255.0 was doing the same thing?

New Member

Re: DMZ access from VPN client

access-list inside_nat0_outbound extended permit ip 192.168.9.0 255.255.255.128

That is not defining what should be encrypted or not. Your acl for your encryption domain must specify the interesting networks being accessed. In your case your dmz network. That static will never process if your encryption domain is not specified correctly.

Re: DMZ access from VPN client

hi .. The VPN tunnel terminates at the outside interface and so that is the interface that the packets are to be routed to when coming back fromn the DMZ ... The IPsec interestesting traffic is OK as it includes all traffic to 192.168.9.0/24 and so I suggest adding a nat 0

as below

access-list test extended permit ip any 192.168.9.0 255.255.255.0

nat (DMZ) 0 access-list test

Also are you able to access any internal device at all ..?

Are you able to successfully establish the tunnel ..?

168
Views
0
Helpful
9
Replies
CreatePlease login to create content