01-07-2007 10:16 AM - edited 03-11-2019 02:16 AM
I am trying to get allow access from a Cisco VPN client into our DMZ (consultant needs to be able to remote in). I thought I had the config right but its still not working. Here is the pertinent config from my pix: The vpn segment is 192.168.9.X
access-list DMZ_access_in extended permit ip host 172.28.2.196 host 172.17.0.17
access-list DMZ_access_in extended permit ip host 172.28.2.196 host 172.17.0.16
access-list DMZ_access_in extended permit icmp host 172.28.2.196 Ethernet 255.255.0.0
access-list DMZ_access_in extended permit icmp host 172.28.2.196 192.168.9.0
access-list DMZ_access_in deny ip any 172.17.0.0 255.255.0.0
access-list DMZ_access_in permit ip host 172.28.2.196 192.168.9.0 255.255.255.0
static (inside,DMZ) 192.168.9.0 192.168.9.0 netmask 255.255.255.0
static (inside,DMZ) Ethernet Ethernet netmask 255.255.0.0
nat (DMZ) 1 0 0
global (outside) 1 interface
static (DMZ,outside) tcp 12.XX.44.237 ftp 172.28.2.195 ftp netmask 255.255.255.255
static (DMZ,outside) tcp 12.XX.44.237 www 172.28.2.196 www netmask 255.255.255.255
static (DMZ,outside) tcp 12.XX.44.237 https 172.28.2.196 https netmask 255.255.255.255
01-07-2007 11:55 AM
If you want the VPN users to connect to DMZ you need to allow access on the inside interface, i.e.:
access-list inside_access_in permit ip 192.168.9.0 255.255.255.0 host 172.28.2.196
Everything else seems to be fine.
Please rate if this helped.
Regards,
Daniel
01-07-2007 08:16 PM
Hi .. I think you are a bit confused here :-) ..
Basically the only thing you need to make sure is that the interesting traffic for IPsec also allows access to the DMZ segment. Traffic to and from the DMZ towards the VPN segment needs to bypass NAT so that they can see each other with its real IP addresses.
If you post your config .. without passwords .. You should be able to get help right away ..
I hope it helps .. please rate it if it does !!
01-08-2007 06:19 AM
01-08-2007 11:18 AM
Fernando is right. I looked at the config and there is no acl present that will bypass nat from vpn-pool to dmz-network. It should be in this acl.
access-list inside_nat0_outbound extended permit ip any 192.168.9.100 255.255.255.252
access-list inside_nat0_outbound extended permit ip object-group Vision_VPN_Servers_Allowed 192.168.9.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip host 12.34.44.227 host GE_FTPServer
access-list inside_nat0_outbound extended permit ip host 12.34.44.227 object-group Schneider_FTP_Servers
access-list inside_nat0_outbound extended permit ip Ethernet 255.255.0.0 192.168.9.0 255.255.255.0
01-08-2007 11:55 AM
I thought my static (inside,DMZ) 192.168.9.0 192.168.9.0 netmask 255.255.255.0 was doing the same thing?
01-08-2007 12:18 PM
That is not defined what should not be encrypted. Your acl for your encryption domain must specify the interesting networks being accessed. In your case your dmz network. That static is will never process if your encryption domain is not specified correctly.
01-08-2007 12:27 PM
I thought my static (inside,DMZ) 192.168.9.0 192.168.9.0 netmask 255.255.255.0 was doing the same thing?
01-08-2007 01:27 PM
access-list inside_nat0_outbound extended permit ip
That is not defining what should be encrypted or not. Your acl for your encryption domain must specify the interesting networks being accessed. In your case your dmz network. That static will never process if your encryption domain is not specified correctly.
01-08-2007 03:30 PM
hi .. The VPN tunnel terminates at the outside interface and so that is the interface that the packets are to be routed to when coming back fromn the DMZ ... The IPsec interestesting traffic is OK as it includes all traffic to 192.168.9.0/24 and so I suggest adding a nat 0
as below
access-list test extended permit ip any 192.168.9.0 255.255.255.0
nat (DMZ) 0 access-list test
Also are you able to access any internal device at all ..?
Are you able to successfully establish the tunnel ..?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: