10-13-2005 12:55 PM - edited 02-21-2020 02:02 PM
Hello
I have problem like that:
I hava two localozation
A - central with PIX:
IP LAN-A= 12.0.0.0/8
WAN IP Internet=11.0.0.2/8
DMZ=13.0.0.0/8 -server IP=13.0.0.2/8
B- Remote router 2600:
Localization B
IP LAN-B=10.0.0.0/8
IP WAN=11.0.0.1/8
Vpn is working correctly. Host from network 10.0.0.0/8(behind router) can ping through vpn host in inside zone (12.0.0.0/8) behind PIX.
In DMZ I have a server 13.0.0.2 and I want hosts(like 10.0.0.0/8) by vpn get access to this server in DMZ, but i cant.
show run:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxxx
passwd xxxx
hostname PIX
access-list VPN permit ip 12.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list ICMP permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 11.0.0.2 255.0.0.0
ip address inside 12.0.0.1 255.0.0.0
ip address dmz 13.0.0.1 255.0.0.0
global (outside) 1 interface
global (inside) 22 12.0.0.15-12.0.0.30 netmask 255.0.0.0
global (dmz) 1 13.0.0.10-13.0.0.20 netmask 255.0.0.0
nat (inside) 0 access-list VPN
nat (inside) 1 12.0.0.0 255.0.0.0 0 0
nat (dmz) 2 13.0.0.0 255.0.0.0 0 0
static (dmz,inside) 12.0.0.10 13.0.0.2 netmask 255.255.255.255 0 0 access-group ICMP in interface dmz
route outside 0.0.0.0 0.0.0.0 11.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set SET ah-md5-hmac esp-des
crypto ipsec transform-set SZYFROWANIE ah-md5-hmac esp-des
crypto map MAPA 100 ipsec-isakmp
crypto map MAPA 100 match address VPN
crypto map MAPA 100 set peer 11.0.0.1
crypto map MAPA 100 set transform-set SET
crypto map MAPA interface outside
isakmp enable outside
isakmp key ******** address 11.0.0.1 netmask 255.255.255.255
isakmp policy 100 authentication pre-share
isakmp policy 100 encryption des
isakmp policy 100 hash md5
isakmp policy 100 group 2
isakmp policy 100 lifetime 10000
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Please correct it.
THX Laptom
10-13-2005 05:15 PM
apply the acl below on the central pix:
access-list VPN permit ip 13.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list DMZ_NO_NAT permit ip 13.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
nat (dmz) 0 access-list DMZ_NO_NAT
for the other pix:
access-list VPN permit ip 10.0.0.0 255.0.0.0 13.0.0.0 255.0.0.0
10-13-2005 11:27 PM
Why we must put access-list VPN permit ip 10.0.0.0 255.0.0.0 13.0.0.0 255.0.0.0, we want connect to 12.0.0.10, not to IP addresses from 13.0.0.0 network (12.0.0.10 is visible thanks to static (dmz,inside) 12.0.0.10 13.0.0.2 netmask 255.255.255.255 0 0)
Dominik
10-14-2005 04:37 AM
original post "In DMZ I have a server 13.0.0.2 and I want hosts(like 10.0.0.0/8) by vpn get access to this server in DMZ, but i cant."
if i interpret correctly, you would like to allow a host from 10.0.0.0/8, which is the remote lan, has access to the central site dmz, which is 13.0.0.0/8.
the acl i posted is for you to add on top of what you've already have, not to replace it.
10-14-2005 07:42 AM
need add access list on the pix
access-list VPN permit ip 13.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
and the same thing needs to be done on the router as well
10-14-2005 09:39 AM
I want hosts from 10.0.0.0/8 have access to DMZ but now directly on 13.0.0.2.
Thanks to:
static (dmz,inside) 12.0.0.10 13.0.0.2 netmask 255.255.255.255 0 0
Ip 13.0.0.2 is visible in inside on 12.0.0.10 ip,
so hosts from 12.0.0.0 can access to 13.0.0.2 by accessing 12.0.0.10.
I'm still unable to access 13.0.0.2 from vpns under 12.0.0.10.
10-20-2005 02:20 AM
I think that command below is not necessary
static (dmz,inside) 12.0.0.10 13.0.0.2 netmask 255.255.255.255 0 0
You should put server in dmz to vpn via
static (dmz,outside) 13.0.0.2 13.0.0.2
You should add ACL which will give access to this host only for networks from remote site LANs which connect to this host via VPN. In this example it will be 10.0.0.0 network. All other traffic will be blocked.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: