Remote LAN with PIX 501 to PIX 315 VPN across Internet cannot access DMZ
I have a PIX 315 that has our mail server on the DMZ. All internal networks are able to access the Mail server with no problem as are mail servers and mail clients on the internet. We have a remote site that connects to our internal network VIA VPN. This site has a PIX 501 that connects to our PIX 315 for the VPN tunnel. I am able to access all servers on our internal network with out a problem, but am not able to access the Mail server on our DMZ through the VPN. If I allow Split tunneling, the PC's at the remote site can get to the Mail server through their interenet connection. For security reasons, they want to force the Remote Site employees to use our proxy server on our internal network to get to the internet, so all traffic from the Remote site goes accross the VPN. While troubleshooting I do a "show ipsec sa" and it shows that at the remote site the packets are being encrypted and at the PIX 512 they are being decrypted. When I do a packet capture at the Mail server, the packets do not appear, so it looks like they are being lost inside the PIX 315. Anyone have any suggestions where to go from here. Below is a partial config of the PIX 315.
access-list NONAT permit ip host 172.16.16.110 10.10.43.0 255.255.255.0
access-list NONAT_DMZ permit ip host 172.16.16.110 10.10.43.0 255.255.255.0
access-list IN_DMZ_ACL permit ip 172.16.16.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list SPLIT_TUN_UTIL-PICK permit ip host 172.16.16.110 10.10.43.0 255.255.255.0
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...