Access through VPN to DMZ servers

CSCO10685980 · ‎10-13-2005

Hello

I have problem like that:

I hava two localozation

A - central with PIX:

IP LAN-A= 12.0.0.0/8

WAN IP Internet=11.0.0.2/8

DMZ=13.0.0.0/8 -server IP=13.0.0.2/8

B- Remote router 2600:

Localization B

IP LAN-B=10.0.0.0/8

IP WAN=11.0.0.1/8

Vpn is working correctly. Host from network 10.0.0.0/8(behind router) can ping through vpn host in inside zone (12.0.0.0/8) behind PIX.

In DMZ I have a server 13.0.0.2 and I want hosts(like 10.0.0.0/8) by vpn get access to this server in DMZ, but i cant.

show run:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password xxxxx

passwd xxxx

hostname PIX

access-list VPN permit ip 12.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

access-list ICMP permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 11.0.0.2 255.0.0.0

ip address inside 12.0.0.1 255.0.0.0

ip address dmz 13.0.0.1 255.0.0.0

global (outside) 1 interface

global (inside) 22 12.0.0.15-12.0.0.30 netmask 255.0.0.0

global (dmz) 1 13.0.0.10-13.0.0.20 netmask 255.0.0.0

nat (inside) 0 access-list VPN

nat (inside) 1 12.0.0.0 255.0.0.0 0 0

nat (dmz) 2 13.0.0.0 255.0.0.0 0 0

static (dmz,inside) 12.0.0.10 13.0.0.2 netmask 255.255.255.255 0 0 access-group ICMP in interface dmz

route outside 0.0.0.0 0.0.0.0 11.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set SET ah-md5-hmac esp-des

crypto ipsec transform-set SZYFROWANIE ah-md5-hmac esp-des

crypto map MAPA 100 ipsec-isakmp

crypto map MAPA 100 match address VPN

crypto map MAPA 100 set peer 11.0.0.1

crypto map MAPA 100 set transform-set SET

crypto map MAPA interface outside

isakmp enable outside

isakmp key ******** address 11.0.0.1 netmask 255.255.255.255

isakmp policy 100 authentication pre-share

isakmp policy 100 encryption des

isakmp policy 100 hash md5

isakmp policy 100 group 2

isakmp policy 100 lifetime 10000

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Please correct it.

THX Laptom

jackko · ‎10-13-2005

apply the acl below on the central pix:

access-list VPN permit ip 13.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

access-list DMZ_NO_NAT permit ip 13.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

nat (dmz) 0 access-list DMZ_NO_NAT

for the other pix:

access-list VPN permit ip 10.0.0.0 255.0.0.0 13.0.0.0 255.0.0.0

Report Inappropriate Content · ‎10-13-2005

Why we must put access-list VPN permit ip 10.0.0.0 255.0.0.0 13.0.0.0 255.0.0.0, we want connect to 12.0.0.10, not to IP addresses from 13.0.0.0 network (12.0.0.10 is visible thanks to static (dmz,inside) 12.0.0.10 13.0.0.2 netmask 255.255.255.255 0 0)

Dominik

jackko · ‎10-14-2005

original post "In DMZ I have a server 13.0.0.2 and I want hosts(like 10.0.0.0/8) by vpn get access to this server in DMZ, but i cant."

if i interpret correctly, you would like to allow a host from 10.0.0.0/8, which is the remote lan, has access to the central site dmz, which is 13.0.0.0/8.

the acl i posted is for you to add on top of what you've already have, not to replace it.

arunsing · ‎10-14-2005

need add access list on the pix

access-list VPN permit ip 13.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

and the same thing needs to be done on the router as well

CSCO10685980 · ‎10-14-2005

I want hosts from 10.0.0.0/8 have access to DMZ but now directly on 13.0.0.2.

Thanks to:

static (dmz,inside) 12.0.0.10 13.0.0.2 netmask 255.255.255.255 0 0

Ip 13.0.0.2 is visible in inside on 12.0.0.10 ip,

so hosts from 12.0.0.0 can access to 13.0.0.2 by accessing 12.0.0.10.

I'm still unable to access 13.0.0.2 from vpns under 12.0.0.10.

Report Inappropriate Content · ‎10-20-2005

I think that command below is not necessary

static (dmz,inside) 12.0.0.10 13.0.0.2 netmask 255.255.255.255 0 0

You should put server in dmz to vpn via

static (dmz,outside) 13.0.0.2 13.0.0.2

You should add ACL which will give access to this host only for networks from remote site LANs which connect to this host via VPN. In this example it will be 10.0.0.0 network. All other traffic will be blocked.