VPN and DMZ

ahoangphan · ‎03-06-2003

Hi,

I'm currently having a vpn router on the outside that assigns ip addresses from 10.10.0.0 network for clients, for the inside I have the 10.1.1.0 network and 10.1.4.0 network for the dmz, I have inside and dmz talking to each other using nat 0, with an access-list applied to the inside interface for vpn I can get 10.10.0.0 network to talk to 10.1.1.0 network. I'm trying to config the pix so that the vpn clients can also see the 10.1.4.0 network, please help.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 failoverint security55

nameif ethernet3 ecdmz security80

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

enable password 75uLIS.m0wq8Es8C encrypted

passwd s6ti98OBT7n.eIs7 encrypted

hostname ec-pixfw1.1

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

names

access-list 123 permit ip 10.1.1.0 255.255.255.0 10.10.0.0 255.255.255.0

access-list Allowin permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list Allowin deny ip any any

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

mtu outside 1500

mtu inside 1500

mtu failoverint 1500

mtu ecdmz 1500

mtu intf4 1500

mtu intf5 1500

ip address outside *.*.*.* 255.255.255.240

ip address inside 10.1.1.254 255.255.255.0

ip address failoverint 192.168.1.1 255.255.255.0

ip address ecdmz 10.1.4.254 255.255.255.0

ip address intf4 127.0.0.1 255.255.255.255

ip address intf5 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 64.221.*.*

failover ip address inside 10.1.1.253

failover ip address failoverint 192.168.1.2

failover ip address ecdmz 10.1.4.253

failover ip address intf4 0.0.0.0

failover ip address intf5 0.0.0.0

failover link failoverint

pdm history enable

arp timeout 14400

global (outside) 1 64.221.*.*

nat (inside) 0 access-list 123

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (ecdmz) 1 0.0.0.0 0.0.0.0 0 0

access-group Allowin in interface outside

route outside 0.0.0.0 0.0.0.0 64.221.*.* 1

route outside 10.10.0.0 255.255.0.0 64.221.*.* 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 10.1.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:dd99ea6763388d9e01119f2ef32a9d80

gfullage · ‎03-06-2003

Do:

> access-list 124 permit ip 10.1.4.0 255.255.255.0 10.10.0.0 255.255.255.0

> nat (ecdmz) 0 access-list 124

hucuncu · ‎03-07-2003

Shouldn't it also be added:

> access-list Allowin permit ip 10.10.0.0 255.255.255.0 10.1.4.0 255.255.255.0

access-list Allowin permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list Allowin deny ip any any

access-group Allowin in interface outside

ahoangphan · ‎03-07-2003

I got everything like you both suggested but still I can't access the servers on the dmz... Also did a clear xlate... No luck... What else do I need to add to the configuration to get it to work?