Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

How do you manage Access-list for VPN Client users?


I got PIX515E that has 6 interfaces, in perticular I would like to have one of low security interfaces to be assigned only for VPN client users(Lets say DMZ5). Inside interface is only for internal users. on the DMZ5, I have subnet that is different from the Inside subnet, when VPN Client users log into PIX from Outside and an IP is assigned from an IP address from a pool for that DMZ5 Subnet. My problem is that VPN client doesn't seem to be able to access what ever users directly on DMZ5 can access to. VPN IPSEC user is created from VPN Wizard which seems to work OK. what else do I need to add into access-list to allow traffic coming from VPN client from Outside. I really appreciate anyone's advise. Regards DJ

Community Member

Re: How do you manage Access-list for VPN Client users?

First of all you will need the syopt connection permit-ipsec command

And then you need to make sure you have created a nonat access-list.


access-list nonat permit ip (DMZ5IP's) mask (VPN POOL) mask

nat (DMZ5) 0 access-list nonat

you should also create a split tunnel access-list with the same info

Community Member

Re: How do you manage Access-list for VPN Client users?

Appreciate your reply, I did exactly as you mention (sysopt connection permit-ipsec- otherwise I won't be able to connect to pix, access-list nonat ?? and nat (DMZ5) 0 access-list ??). I can get to any resources on the same subnet except for a program that relys on other router residing on the DMZ interface and this program needs to talk to 15x.x.x.x via this router.

What is actually happening 1) from remote pc, connect to pix with VPN client and run program from remote pc, then this program traverse through VPN IPsec tunnel (routing table is added for 15x.x.x.x traffic, so pix knows where 15x.x.x.x traffic divert to) and needs to talk to the router on DMZ (this router knows about 15x.x.x.x) to get to 151x.x.x.x network based in US. this means on the DMZ there is a router that is connected to US to get other resources. Does it make sense? if not pls let me know.

2) what I can see from pix debug, remote pc intiates traffic to 15x.x.x.x and it hits pix and I don't get any reply from the router that knows about 15x.x.x.x network. i don't have this problem when I am in DMZ subnet, this program works OK. 3) I can ping to the router from VPN connected remote pc.

Is there any thing missing to get 15x.x.x.x traffic pass through tunnel and to another router and return back to remote pc? Thanks, DJ

Community Member

Re: How do you manage Access-list for VPN Client users?

After you succesfuly established a VPN connect to your PIX you will get on PC:

IP: PC_IP_from_pool

Def Gate: PIXinterface_IP or PC_IP_from_pool

At PIX side:

You should see after command: "sh ip route"

C PC_IP_from_pool/32 is directly connected, Virtual-Access#

Also PIX should know route to the destination net. That is all.

Draw a picture of your network for us to understand it better.

Community Member

Re: How do you manage Access-list for VPN Client users?

Default gateway Ip addr at PC would be managed by split tunnel config.

Also I found that PIX is firewall/VPN device, not a router. It doesn't do very well routing. this is my assumption. correct me if I am wrong. from debug while trying to access resources on DMZ via VPN client session, I could see traffics are coming in and it hits PIX, but nothing comes back from destination ip aadress (of course all the necessary route are added to PIX). I could get to the same destination from a PC on the DMZ. without any issue.

IF I try to access Inside interface via VPN client, I don't have any issue. DJ

Community Member

Re: How do you manage Access-list for VPN Client users?


I'm exactly with the same problem, and I can help with some informations

(not solution)

1 - The DMZ5 security is high than outside (source of your VPN client traffic).

So your packets are droped.

2 - NAT is only done from a high secure to a low secure zone

So, if you use a nat / global rule for your inside -> DMZ5 traffic with the router (in my case other company), your VPN clients can not use this feature because its source interface is less secure than the DMZ5. I've sniffered the DMZ and could detected a VPN client packet with no nat applied during some tests.

I've tried with no nat but you will need a static (ouside, dmz) to each destination (it's very hard in my case).

Last, I tried and it works in the lab but I'm not sure if it is the best solution -

I changed the security level of the vpn clients. I passed the outside interface to DMZ5 interface and put the DMZ5 as outside... The result was:

DMZ5 at inteface eth0 (outside) = security0

OUTSIDE at interface eth5 (perimeter5) = security10

I don't know yet if this can cause a lack of security issues.

If you get some new informations or the desired solution please

send me a notice, because I have to give a solution in the next 5 days


CreatePlease to create content