Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN access from DMZ

I can't access the VPN via PC behind DMZ. Situation as below.

VPN connection between PIX 515(vpn client), PIX 515E(vpn server) established successfully. I can access the PIX 515E inside network from the PIX 515 inside network, and vice versa. However, i can't access the PIX515E inside network from the PIX515 dmz network. But both PIX515 inside and dmz can go to public Internet, and public Internet can access them.

Also, when using a PC behind PIX515 dmz network to start VPN connection from the "VPN Connection Status" page of PDM. Information box is prompted and message is "The VPN tunnel can be established only from the most secure interface of this firewall which is inside(10.0.1.1). Please load the page wth the URL https://10.0.1.1/vpnclient/connstatus.html from a machine connected to that interface." I think this is the reason why cannot access VPN behind DMZ. Does it mean the VPN can only be accessed from inside of PIX 515 only? But not DMZ?

Thanks!

1 REPLY
Gold

Re: VPN access from DMZ

on pix515e, the no-nat and crypto acls need to include the dmz as well as the inside.

e.g.

access-list no_nat permit ip <515e inside net> <515e inside net mask>

access-list no_nat permit ip <515e dmz net> <515e dmz net mask>

access-list crypto permit ip <515e inside net> <515e inside net mask>

access-list crypto permit ip <515e dmz net> <515e dmz net mask>

471
Views
0
Helpful
1
Replies
CreatePlease login to create content