Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX VPN L2TP access on DMZ / Outside

Hi thereI have pix 515 with 3 interfaces: Inside (192.x.x.x and NAT), DMZ(official IP adresses) and Outside.I have configured L2TP/IPsec access for VPN clients. Everything worksthing, the clients (Win2K and XP) can successful establish a VPNconnection with the firewall and I also can reach any client on theinside zone. What doesn't work is the connection from a VPN client toa client in DMZ or Outside (clients on the inside interface haveperfect access to DMZ and Outside) .Whats the CISCO philosophie behind L2TP/IPsec clients? Is there apossibility, that VPN clients have internet access through theestablished secure tunnel (have I made an configuration mistake)? orisn't this possible at all?Thanks for your effort.Hans

Cisco Employee

Re: PIX VPN L2TP access on DMZ / Outside

Not so sure of your configs, but if your vpn is working fine and you can't just reach clients on another subnet, that is on a different PIX interface, it looks like a config issue. see sample on:

As for internet access thru the secured tunnel, if you are terminating the IPSec on say the outside interface, the PIX would not redirect packets out the same interface it receives the packet on, so this would not work.

New Member

Re: PIX VPN L2TP access on DMZ / Outside

Hi cjacinto

Thanks so much for your reply.

My L2TP VPN tunnel terminates on the outside interface. I can reach any host on the inside subnet, but I can't reach a host in DMZ. Is this just a configuration problem? Or can I basically reach any host on any subent connected to an interface of the PIX, except for the one, where the VPN tunnel terminates?