VPN access from DMZ

icsl · ‎12-09-2005

I can't access the VPN via PC behind DMZ. Situation as below.

VPN connection between PIX 515(vpn client), PIX 515E(vpn server) established successfully. I can access the PIX 515E inside network from the PIX 515 inside network, and vice versa. However, i can't access the PIX515E inside network from the PIX515 dmz network. But both PIX515 inside and dmz can go to public Internet, and public Internet can access them.

Also, when using a PC behind PIX515 dmz network to start VPN connection from the "VPN Connection Status" page of PDM. Information box is prompted and message is "The VPN tunnel can be established only from the most secure interface of this firewall which is inside(10.0.1.1). Please load the page wth the URL https://10.0.1.1/vpnclient/connstatus.html from a machine connected to that interface." I think this is the reason why cannot access VPN behind DMZ. Does it mean the VPN can only be accessed from inside of PIX 515 only? But not DMZ?

Thanks!

jackko · ‎12-09-2005

on pix515e, the no-nat and crypto acls need to include the dmz as well as the inside.

e.g.

access-list no_nat permit ip <515e inside net> <515e inside net mask>

access-list no_nat permit ip <515e dmz net> <515e dmz net mask>

access-list crypto permit ip <515e inside net> <515e inside net mask>

access-list crypto permit ip <515e dmz net> <515e dmz net mask>