Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Routing from VPN to DMZ with PIX-515

I have users utilizing a VPN 3000, trying to route through a PIX 515 firewall to get to our network. They can authenticate to the Concentrator, but not get through to our network. On the PIX, I have ethernet2 labeled VPN and ehternet3 labeled DMZ. I think there's something missing in the translation. This was someone else's project and I have it now. The PIX is configured with IP's, and some access-list statements, and that's about it. I've attached a simple little diagram, if it helps. Any assistance would be greatly appreciated. Thank you in advance.

New Member

Re: Routing from VPN to DMZ with PIX-515

I would start be checking the access list on the pix.

New Member

Re: Routing from VPN to DMZ with PIX-515

Thank you very much for your prompt response. I see this command, and I'm not sure what is source and what is destination:

access-list vpn extended permit ip

Thank you for your time. I just get confused when dealing with access-lists...

New Member

Re: Routing from VPN to DMZ with PIX-515

This acl line is allowing traffic from source network of to a destination network of

I am assuming this acl is applied to the interface of which the VPN concentrator is connected. Is there another acl tide to the other interface that allows the return traffic? Has this ever worked before or is this a new project? Which interface has a higher security number level?

New Member

Re: Routing from VPN to DMZ with PIX-515

Yes, it is applied to the VPN interface.

There is another acl applied to the DMZ interface, however it is not as specific. It encompasses the network.

This is a new project, and the DMZ interface has the higher security level than the VPN.

This static line is also in config:

static (VPN,DMZ) netmask

Does this help?

Thank you very much!

New Member

Re: Routing from VPN to DMZ with PIX-515

What exactly does the acl on the dmz interface state? Have you checked the route table on the concentrator and the pix to ensure that they know where to forward traffic to?

New Member

Re: Routing from VPN to DMZ with PIX-515

The routing tables looks good, that's probably why it's confusing me. Here is the DMZ acl statement:

access-list DMZ extended permit tcp any

Thanks again!

Re: Routing from VPN to DMZ with PIX-515


I'm going to start from scratch and not pay attention to the previous posts. I'm assuming that you want to pass the traffic from the network to the network without haveing to hide the address's from the vpn hosts.

The following requriments are needed ACL incomming on the DMZ interface. NAT statement telling the network not to change its address to the DMZ and if there is an ACL in the inside interface to permit traffic to the DMZ.

Specific commands to use:

static (inside, dmz) mask !This gives the dmz unaltered access to network

access-list DMZ_IN permit ip

!This line will allow the VPN DMZ devices to initiate connections to the 10.0.16 servers with.

access-list INSIDE_IN permit

!This will allow the servers to iniate connections to the DMZ 172.16.0.x devices

If you have any more questions just let us know


CreatePlease login to create content