Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Remote LAN with PIX 501 to PIX 315 VPN across Internet cannot access DMZ

I have a PIX 315 that has our mail server on the DMZ. All internal networks are able to access the Mail server with no problem as are mail servers and mail clients on the internet. We have a remote site that connects to our internal network VIA VPN. This site has a PIX 501 that connects to our PIX 315 for the VPN tunnel. I am able to access all servers on our internal network with out a problem, but am not able to access the Mail server on our DMZ through the VPN. If I allow Split tunneling, the PC's at the remote site can get to the Mail server through their interenet connection. For security reasons, they want to force the Remote Site employees to use our proxy server on our internal network to get to the internet, so all traffic from the Remote site goes accross the VPN. While troubleshooting I do a "show ipsec sa" and it shows that at the remote site the packets are being encrypted and at the PIX 512 they are being decrypted. When I do a packet capture at the Mail server, the packets do not appear, so it looks like they are being lost inside the PIX 315. Anyone have any suggestions where to go from here. Below is a partial config of the PIX 315.

access-list NONAT permit ip host

access-list NONAT_DMZ permit ip host

access-list IN_DMZ_ACL permit ip

access-list SPLIT_TUN_UTIL-PICK permit ip host

nat (inside) 0 access-list NONAT

nat (dmz) 0 access-list NONAT_DMZ

access-group IN_E1_ACL in interface inside

access-group IN_DMZ_ACL in interface dmz

vpngroup VPN_UTIL-PICK_REMOTE default-domain


vpngroup VPN_UTIL-PICK_REMOTE idle-time 21600

vpngroup VPN_UTIL-PICK_REMOTE password ********

Community Member

Re: Remote LAN with PIX 501 to PIX 315 VPN across Internet canno

The NONAT and NONAT_DMZ ACLs define exactly the same networks. You probably need to verify the NONAT ACLs, but what you are describing will work.

I take it you have this configured using EzVPN. If you do the LAN-to-LAN VPN, you have to set up both internal and DMZ subnets in the VPN access lists for the remote site to hit.

CreatePlease to create content