Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Pix 515E Remote VPN's Cannot Access DMZ

I have a 3 interface Pix 515E at our core site (inside, outside, DMZ). We have 4 remote sites that connect to our main office via VPN tunnels terminating on the pix. Currently the remote sites cannot access the DMZ. The tunnels are functioning perfectly in all aspects except for DMZ access. Any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Pix 515E Remote VPN's Cannot Access DMZ

You are missing nat exemption from your dmz to remote networks. ADD the following...

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Madison 255.255.255.0

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Appleton 255.255.255.0

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Racine 255.255.255.0

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 CCNHEIL 255.255.255.0

nat (DMZ) 0 access-list DMZ_outbound_nat0_acl

You can REMOVE the following statements from your inside nat exemption.

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Madison 255.255.255.0

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Appleton 255.255.255.0

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Racine 255.255.255.0

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 CCNHEIL 255.255.255.0

Please rate if it helps.

3 REPLIES
Green

Re: Pix 515E Remote VPN's Cannot Access DMZ

Without the config, I can only guess...Nat exemption from dmz subnet to vpn client subnet probably.

Community Member

Re: Pix 515E Remote VPN's Cannot Access DMZ

Here's the config:

Green

Re: Pix 515E Remote VPN's Cannot Access DMZ

You are missing nat exemption from your dmz to remote networks. ADD the following...

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Madison 255.255.255.0

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Appleton 255.255.255.0

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Racine 255.255.255.0

access-list DMZ_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 CCNHEIL 255.255.255.0

nat (DMZ) 0 access-list DMZ_outbound_nat0_acl

You can REMOVE the following statements from your inside nat exemption.

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Madison 255.255.255.0

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Appleton 255.255.255.0

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 Racine 255.255.255.0

access-list inside_outbound_nat0_acl permit ip CCNDMZ 255.255.255.0 CCNHEIL 255.255.255.0

Please rate if it helps.

229
Views
0
Helpful
3
Replies
CreatePlease to create content