Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix Client to Site VPN with access to NATed DMZ.

We have a Pix 515 with a DMZ.

Client to site VPN.

Internal NAT is 10.20.x.x 255.255.192.0

DMZ NAT is 10.19.1.x 255.255.255.0

Users can connect to the VPN and get to the resources on the Inside of the network. They can not get to resources in the DMZ via the internal IP addresses.

Added a Split tunnel group with both networks in the group, but the VPN clients can not get to resources in the DMZ. How do we get the Client to Site VPN users access to the Internal network and the DMZ network?

2 REPLIES
Silver

Re: Pix Client to Site VPN with access to NATed DMZ.

I assume for the inside network to be accessed via vpn you have a nat(inside) 0 your_criteria in your config such that nat is disabled for inside hosts sending packets back to the clients. Do you have something similar for the dmz?

HTH

-mike

New Member

Re: Pix Client to Site VPN with access to NATed DMZ.

The access list is

access-list inside_outbound_nat0_acl extended permit ip object-group VPN-NETWORK-GROUP 10.19.20.0 255.255.255.0

the VPN-NETWORK-GROUP is

object-group network VPN-NETWORK-GROUP

network-object 10.19.1.0 255.255.192.0

network-object 10.20.1.0 255.255.255.0

Through the client to site VPN they can get to everything in the 10.19.1.0 network.

They can not get to anything in the 10.20.1.0 (DMZ) network.

89
Views
0
Helpful
2
Replies