Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX VPN to both DMZ and INSIDE segments

I currently have a PIX515E/R and I have a DMZ card that I am about to install. What I would like to do is allow some users to VPN in via the Cisco client to the DMZ and other users to VPN into the DMZ segment using the Cisco Client as well.

It’s ok if the people on the inside interface can access the DMZ but I don’t want users who VPN into the DMZ segment to be able to reach the inside segment (unless we poke holes.)


1) Can this be done

2) Do I need two external addresses or just one

3) If only one IP then how does it know who is destined for which segment?

4) Are there any examples on how to do this ore what is unique about the config over normal VPN configs?

Thanks for any assistance.


Re: PIX VPN to both DMZ and INSIDE segments

1. yes

2. one

3. by creating crypto acl for remote vpn access

4. assuming the reason to create 2 groups accessing the dmz is because of different access level. thus with the sample below, vpnclient_grp2 will only have access to 3 dmz servers; whereas vpnclient_grp1 will have access to the entire dmz. both vpnclient groups have no access to the inside.

another point needs to be noticed when designing/creating the vpn client pool. the scheme should never overlap with any scheme that has already been used such as the inside or dmz. e.g if the dmz scheme is then the vpnclient pool shouldn't be but any other private scheme.

access-list 110 permit ip

access-list 110 permit ip

access-list 120 permit ip

access-list 130 permit ip host

access-list 130 permit ip host

access-list 130 permit ip host

ip address dmz

ip local pool vpnpool_grp1

ip local pool vpnpool_grp2

nat (dmz) 0 access-list 110

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map myvpn 10 ipsec-isakmp dynamic dynmap

crypto map myvpn client configuration address initiate

crypto map myvpn client configuration address respond

crypto map myvpn client authentication LOCAL

crypto map myvpn interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpnclient_grp1 address-pool vpnpool_grp1

vpngroup vpnclient_grp1 split-tunnel 120

vpngroup vpnclient_grp1 idle-time 1800

vpngroup vpnclient_grp1 password ********

vpngroup vpnclient_grp2 address-pool vpnpool_grp2

vpngroup vpnclient_grp2 split-tunnel 130

vpngroup vpnclient_grp2 idle-time 1800

vpngroup vpnclient_grp2 password ********

New Member

Re: PIX VPN to both DMZ and INSIDE segments

I'm sorry, I made a typo in my first message. I meant to say that one group needs to VPN to the DMZ while the other needs to VPN to the INSIDE.

We currently have users connecting to the inside like normal, but I want to set up a group that can VPN to the DMZ only. I wasn't sure if I could terminate them in both locations.

I guess that brings up the question, am I really termiating them on the DMZ and INSIDE or am I technically terminating them on the outside interface and then allowing them to these interfaces?

If so, is that going to change my use of the "sysopt connection permit-ipsec" command, which I have in my current config?

I can't tell you how much I appreciate your response thus far.



Re: PIX VPN to both DMZ and INSIDE segments

the vpn is actually determined on the pix outside interface, then is up to the pix to whether allow/forward the packet or drop it.

the sample config i posted will work with the command "sysopt connection permit-ipsec" enabled, pix will ignore all encrypted traffic for inbound acl.

however, if you would like to further restrict remote vpn access down to a protocol/port level, you may need to disable the command "sysopt connection permit-ipsec".

e.g. you don't want the remote pc to have access to the entire dmz, all required is to allow the remote pc to rdp to a server.

sample codes:

no sysopt connection permit-ipsec

access-list 199 permit tcp host eq 3389

access-group 199 in interface outside

you will need to keep adding all inbound ipsec traffic to the acl 199, including all vpn client groups and lan-lan vpns.