VPN's, routers and DMZ - Oh My - HELP !!!

michael.steiner · ‎12-11-2002

We have several remote offices that connect back to corporate via VPN tunnel using 3002 hardware client at remote sites that connects up to 3005. The ip space at remote offices is 10.6.x.x. The IP space at corporate is 10.5.4.x. Users at remote sites can get to everything here and at other remote sites.

We installed a DMZ here at corporate in the 192.168.1.x space and place web servers, etc. in it. Here at corp. we can get to the DMZ devices from our workstations, however the remote sites cannot. Also if I come in from home via software VPN client I cannot get to the DMZ devices.

I am hoping that this is something that can be fixed?

Can anyone help a poor windows 2000 admin pretending to be a cisco admin :)

Thanks

lgijssel · ‎12-11-2002

Somewhere in all your PIX-configs there is an access-list that defines the traffic for the VPN tunnel. This traffic is to be exempted from NAT.

You have to add the 192.168.1.x range to this list. Depending on the the way your systems are set up, there could even be two access-lists. One to define the traffic destined for Internet, which is to be NATed (this list should EXclude the range that you use for remote offices), and another one which defines the traffic for the VPN. (this list should INclude the range that you use for remote offices) What you should do is find these lists and change them.

I really wish you a merry Christmas, preferrably not in config-mode!?