04-06-2007 11:22 AM - edited 03-11-2019 02:57 AM
I have a 3 interface Pix 515E at our core site (inside, outside, DMZ). We have 4 remote sites that connect to our main office via VPN tunnels terminating on the pix. Currently the remote sites cannot access the DMZ. The tunnels are functioning perfectly in all aspects except for DMZ access. Any ideas?
Solved! Go to Solution.
04-06-2007 01:55 PM
You are missing nat exemption from your dmz to remote networks. ADD the following...
access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Madison 255.255.255.0
access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Appleton 255.255.255.0
access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Racine 255.255.255.0
access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 CCNHEIL 255.255.255.0
nat (DMZ) 0 access-list DMZ_outbound_nat0_acl
You can REMOVE the following statements from your inside nat exemption.
access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Madison 255.255.255.0
access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Appleton 255.255.255.0
access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Racine 255.255.255.0
access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 CCNHEIL 255.255.255.0
Please rate if it helps.
04-06-2007 11:32 AM
Without the config, I can only guess...Nat exemption from dmz subnet to vpn client subnet probably.
04-06-2007 11:49 AM
04-06-2007 01:55 PM
You are missing nat exemption from your dmz to remote networks. ADD the following...
access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Madison 255.255.255.0
access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Appleton 255.255.255.0
access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Racine 255.255.255.0
access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 CCNHEIL 255.255.255.0
nat (DMZ) 0 access-list DMZ_outbound_nat0_acl
You can REMOVE the following statements from your inside nat exemption.
access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Madison 255.255.255.0
access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Appleton 255.255.255.0
access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Racine 255.255.255.0
access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 CCNHEIL 255.255.255.0
Please rate if it helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide