Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
311
Views
0
Helpful
1
Replies

Remote LAN with PIX 501 to PIX 315 VPN across Internet cannot access DMZ

fgoodwin
Level 1
Level 1

‎04-07-2006 07:17 AM - edited ‎02-21-2020 02:21 PM

I have a PIX 315 that has our mail server on the DMZ. All internal networks are able to access the Mail server with no problem as are mail servers and mail clients on the internet. We have a remote site that connects to our internal network VIA VPN. This site has a PIX 501 that connects to our PIX 315 for the VPN tunnel. I am able to access all servers on our internal network with out a problem, but am not able to access the Mail server on our DMZ through the VPN. If I allow Split tunneling, the PC's at the remote site can get to the Mail server through their interenet connection. For security reasons, they want to force the Remote Site employees to use our proxy server on our internal network to get to the internet, so all traffic from the Remote site goes accross the VPN. While troubleshooting I do a "show ipsec sa" and it shows that at the remote site the packets are being encrypted and at the PIX 512 they are being decrypted. When I do a packet capture at the Mail server, the packets do not appear, so it looks like they are being lost inside the PIX 315. Anyone have any suggestions where to go from here. Below is a partial config of the PIX 315.

access-list NONAT permit ip host 172.16.16.110 10.10.43.0 255.255.255.0

access-list NONAT_DMZ permit ip host 172.16.16.110 10.10.43.0 255.255.255.0

access-list IN_DMZ_ACL permit ip 172.16.16.0 255.255.255.0 10.10.0.0 255.255.0.0

access-list SPLIT_TUN_UTIL-PICK permit ip host 172.16.16.110 10.10.43.0 255.255.255.0

nat (inside) 0 access-list NONAT

nat (dmz) 0 access-list NONAT_DMZ

access-group IN_E1_ACL in interface inside

access-group IN_DMZ_ACL in interface dmz

vpngroup VPN_UTIL-PICK_REMOTE default-domain co.fairfield.oh.us

vpngroup VPN_UTIL-PICK_REMOTE split-tunnel SPLIT_TUN_UTIL-PICK

vpngroup VPN_UTIL-PICK_REMOTE idle-time 21600

vpngroup VPN_UTIL-PICK_REMOTE password ********

Labels:
0 Helpful
1 Reply 1

baskervi
Level 1
Level 1

‎04-08-2006 08:48 AM

The NONAT and NONAT_DMZ ACLs define exactly the same networks. You probably need to verify the NONAT ACLs, but what you are describing will work.

I take it you have this configured using EzVPN. If you do the LAN-to-LAN VPN, you have to set up both internal and DMZ subnets in the VPN access lists for the remote site to hit.

0 Helpful
Customers Also Viewed These Support Documents