I have a PIX 515 with three network interface (outside, inside and dmz). Also the remote users use VPN Client 3.5 to get to the inside network and internet. Split Tunnel is configure and is working. The VPN client can get to the Inside network fine, use VNC and other applications but cannot use any service on the Dmz network except ping. Meaning cannot open the web server on the Dmz but can ping it. Cannot use VNC etc to the DMZ but can use it to the Inside. Is my configuration mising something or the PIX can only split trafic to inside and internet.
I got the fix. The access-list name or number use for VPN from the Client to the inside and dmz must be different. Also the access-list applied to the VPN group for Split-Tunnel must be the same with the inside. Example below:
access-list 150 permit ip "inside network" "vpn client pool"
access-list 160 permit ip "dmz network" "vpn client pool"
This is the configuration I had. I can ping the host IP on the DMZ but I cannot open any TCP/UDP session like WWW, VNC or TFTP. I can do this with host on the INSIDE. The only service from the VPN Cleint to the DMZ is ICMP Ping.
Thanks. Below is the config. I think the problem has to do with "Asymmetric Routing" which is not supported on the PIX. When the Clients initiate a VPN connection the Client is virtualy put on the Inside network so when the PIX Firewall detects the same connection arriving on a perimeter interface, the PIX Firewall has more than one path to a destination. The PIX thinks an attacker is attempting to append packets from one connection to another as a way to break into the PIX Firewall and drops the connection.
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol domain 53
access-list 101 permit ip 18.104.22.168 255.255.255.0 172.16.2.0 255.255.255.0
access-list 101 permit ip 22.214.171.124 255.255.255.0 172.16.2.0 255.255.255.0
access-list acl_inbound permit tcp any host 126.96.36.199 eq www
access-list acl_inbound permit udp any host 188.8.131.52 eq tftp
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...