Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Client Vpn access to DMZ hosts

I am having an issue where my clients who establish a vpn connection with at Pix 515 can not access the hosts on the DMZ. The VPN clients can access the hosts on the inside network without any problem. I have discovered that when I do a trace route from a client machine that has established a VPN connection to a host on the DMZ it tries to go through the computers default gateway instead of the cisco client. Any Ideas?

More Information:

When a client connects with the PIX via VPN it is handed the internal DNS servers and on the internal DNS server we have a host entry that says "www.whatever.com" 2.2.2.2 (this is the DMZ host). The clients on the inside of the network can access this host with out problems it is just the clients that establish a VPN connection. But the VPN Clients can access "www.whatever.com" by using it public ip address. The problem is if we remove the host entry on the DNS server so that the name "www.whatever.com" resolves to the public ip the inside clients will not be able to access the DMZ host. Names and IP numbers are not the real ones just using those as an example.

Any help would be apperciated. Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Client Vpn access to DMZ hosts

You'll currently have something like this in your config:

access-list nonat permit ip

nat (inside) 0 access-list nonat

This tells the PIX not to NAT any traffic coming from the inside interface that is to go to a VPN client. You need the same thing but for the DMZ interface, so add the following:

access-list nonat permit ip

nat (dmz) 0 access-list nonat

That should get you going.

4 REPLIES
Cisco Employee

Re: Client Vpn access to DMZ hosts

You'll currently have something like this in your config:

access-list nonat permit ip

nat (inside) 0 access-list nonat

This tells the PIX not to NAT any traffic coming from the inside interface that is to go to a VPN client. You need the same thing but for the DMZ interface, so add the following:

access-list nonat permit ip

nat (dmz) 0 access-list nonat

That should get you going.

New Member

Re: Client Vpn access to DMZ hosts

I just did what you say.

I have the same ACL for Inside and DMZ.

If I use PDM on pix, it says it can't parse my config because of the same ACL for these 2 Nat 0 statements.

So I must create 2 different ACL one for each interface.

Cisco Employee

Re: Client Vpn access to DMZ hosts

OK, so change it to be a different ACL with the following:

access-list nonatdmz permit ip

nat (dmz) 0 access-list nonatdmz

and PDM should be happy.

New Member

Re: Client Vpn access to DMZ hosts

Thank you. I added the and the nat and all is working.

120
Views
0
Helpful
4
Replies