cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
393
Views
0
Helpful
3
Replies

Pix 515E Remote VPN's Cannot Access DMZ

chrislisser
Level 1
Level 1

I have a 3 interface Pix 515E at our core site (inside, outside, DMZ). We have 4 remote sites that connect to our main office via VPN tunnels terminating on the pix. Currently the remote sites cannot access the DMZ. The tunnels are functioning perfectly in all aspects except for DMZ access. Any ideas?

1 Accepted Solution

Accepted Solutions

You are missing nat exemption from your dmz to remote networks. ADD the following...

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Madison 255.255.255.0

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Appleton 255.255.255.0

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Racine 255.255.255.0

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 CCNHEIL 255.255.255.0

nat (DMZ) 0 access-list DMZ_outbound_nat0_acl

You can REMOVE the following statements from your inside nat exemption.

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Madison 255.255.255.0

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Appleton 255.255.255.0

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Racine 255.255.255.0

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 CCNHEIL 255.255.255.0

Please rate if it helps.

View solution in original post

3 Replies 3

acomiskey
Level 10
Level 10

Without the config, I can only guess...Nat exemption from dmz subnet to vpn client subnet probably.

Here's the config:

You are missing nat exemption from your dmz to remote networks. ADD the following...

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Madison 255.255.255.0

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Appleton 255.255.255.0

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Racine 255.255.255.0

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 CCNHEIL 255.255.255.0

nat (DMZ) 0 access-list DMZ_outbound_nat0_acl

You can REMOVE the following statements from your inside nat exemption.

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Madison 255.255.255.0

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Appleton 255.255.255.0

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Racine 255.255.255.0

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 CCNHEIL 255.255.255.0

Please rate if it helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: