Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Routing from VPN to DMZ with PIX-515

I have users utilizing a VPN 3000, trying to route through a PIX 515 firewall to get to our network. They can authenticate to the Concentrator, but not get through to our network. On the PIX, I have ethernet2 labeled VPN and ehternet3 labeled DMZ. I think there's something missing in the translation. This was someone else's project and I have it now. The PIX is configured with IP's, and some access-list statements, and that's about it. I've attached a simple little diagram, if it helps. Any assistance would be greatly appreciated. Thank you in advance.

7 REPLIES
New Member

Re: Routing from VPN to DMZ with PIX-515

I would start be checking the access list on the pix.

New Member

Re: Routing from VPN to DMZ with PIX-515

Thank you very much for your prompt response. I see this command, and I'm not sure what is source and what is destination:

access-list vpn extended permit ip 172.16.0.0 255.255.255.0 10.0.16.0 255.255.255.0

Thank you for your time. I just get confused when dealing with access-lists...

New Member

Re: Routing from VPN to DMZ with PIX-515

This acl line is allowing traffic from source network of 172.16.0.0/24 to a destination network of 10.0.16.0/24.

I am assuming this acl is applied to the interface of which the VPN concentrator is connected. Is there another acl tide to the other interface that allows the return traffic? Has this ever worked before or is this a new project? Which interface has a higher security number level?

New Member

Re: Routing from VPN to DMZ with PIX-515

Yes, it is applied to the VPN interface.

There is another acl applied to the DMZ interface, however it is not as specific. It encompasses the 10.0.0.0 network.

This is a new project, and the DMZ interface has the higher security level than the VPN.

This static line is also in config:

static (VPN,DMZ) 172.16.0.0 172.16.0.0 netmask 255.255.255.0

Does this help?

Thank you very much!

New Member

Re: Routing from VPN to DMZ with PIX-515

What exactly does the acl on the dmz interface state? Have you checked the route table on the concentrator and the pix to ensure that they know where to forward traffic to?

New Member

Re: Routing from VPN to DMZ with PIX-515

The routing tables looks good, that's probably why it's confusing me. Here is the DMZ acl statement:

access-list DMZ extended permit tcp 10.0.16.0 255.255.255.0 any

Thanks again!

Re: Routing from VPN to DMZ with PIX-515

Hello,

I'm going to start from scratch and not pay attention to the previous posts. I'm assuming that you want to pass the traffic from the 172.16.0.0/24 network to the 10.0.16.0/24 network without haveing to hide the 10.0.16.0 address's from the 172.16.0.0 vpn hosts.

The following requriments are needed ACL incomming on the DMZ interface. NAT statement telling the 10.0.16.0 network not to change its address to the DMZ and if there is an ACL in the inside interface to permit traffic to the DMZ.

Specific commands to use:

static (inside, dmz) 10.0.16.0 10.0.16.0 mask 255.255.255.0 !This gives the dmz unaltered access to 10.0.16.0 network

access-list DMZ_IN permit ip 172.16.0.0 255.255.255.0 10.0.16.0 255.255.255.0

!This line will allow the VPN DMZ devices to initiate connections to the 10.0.16 servers with.

access-list INSIDE_IN permit 10.0.16.0 255.255.255.0 172.16.0.0 255.255.255.0

!This will allow the servers to iniate connections to the DMZ 172.16.0.x devices

If you have any more questions just let us know

Patrick

114
Views
4
Helpful
7
Replies
CreatePlease login to create content