Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Terminating VPN Concentrator in the DMZ


Internet ---> VPN Concentrator (3015, 3.6.5) ----> DMZ (PIX 6.2) ---> Internal Network

Addressing: DMZ Interface:

VPN Concentrator: (Private Interface Address)

Static Routes: All routes point to the DMZ interface,


The clients can connect to the VPN Concentrator. They authenticate off of a server on the internal network. The VPN Concentrator can ping internal addresses without any trouble. You can ping the VPN Concentrator IP from the internal network. The PIX has arp information for the VPN Concentrator and the VPN client, both have the Concentrator's private interface MAC address.

You cannot ping the VPN Client's IP. (using address pool internal to the VPN Concentrator,, testing scenario)

The VPN Client cannot reach any internal address. The VPN Client does not have any firewall enabled.

I know there is probably something very simple I am missing. If anyone can assist it would be appreciated.

Thanks in advance.


  • Other Security Subjects
New Member

Re: Terminating VPN Concentrator in the DMZ

Well, From my understanding, you have the concentrator public int on the outside of the PIX and the private on the DMZ did you configure the appropriate nat and access-lists to allow certain traffic from the clients' obtained IPs on the DMZ to the inside network ?

New Member

Re: Terminating VPN Concentrator in the DMZ

Yes, you have the design correct.

Plus yes. I allowed full access (any DMZ-3 to any Internal network) at this point in time to get the ball rolling. The only configuration for DMZ-3 is this Concentrator. It will be narrowed down once I get the traffic flowing through the clients. I have used Nat 0 at this point in time for testing purposes.

Any ideas?


Cisco Employee

Re: Terminating VPN Concentrator in the DMZ

Do you have a route in the PIX for the VPN pool of addresses, pointing out the DMZ interface to the private address of the concentrator?

New Member

Re: Terminating VPN Concentrator in the DMZ is the private address of the concentrator.

I do have this route in the PIX.

DMZ-3 1 CONNECT static

I did not have one in there explicitly for this so I placed one on the PIX to see if it would correct the trouble.

DMZ-3 1 OTHER static

Same thing. The client can authenticate to an internal server but not ping the internal server once the authentication process has finished. The VPN Concentrator can ping any internal server and any external address. This seems to be a client issue.

I checked the allowed networks and put in the new network that was created by DMZ-3. Same thing.

I am going to set up further testing to watch from both sides to see if I can determine what may be transpiring.

All help is appreciated.



New Member

Re: Terminating VPN Concentrator in the DMZ

After doing some more investigating tonight I found what I call "Legacy Funky Routing". This has been hindering my progress a bit. I will investigate a bit more and see if I can clear this up.

Thank you to all that have contributed.