03-06-2003 11:32 AM - edited 02-21-2020 12:23 PM
Hi,
I'm currently having a vpn router on the outside that assigns ip addresses from 10.10.0.0 network for clients, for the inside I have the 10.1.1.0 network and 10.1.4.0 network for the dmz, I have inside and dmz talking to each other using nat 0, with an access-list applied to the inside interface for vpn I can get 10.10.0.0 network to talk to 10.1.1.0 network. I'm trying to config the pix so that the vpn clients can also see the 10.1.4.0 network, please help.
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 failoverint security55
nameif ethernet3 ecdmz security80
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password 75uLIS.m0wq8Es8C encrypted
passwd s6ti98OBT7n.eIs7 encrypted
hostname ec-pixfw1.1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list 123 permit ip 10.1.1.0 255.255.255.0 10.10.0.0 255.255.255.0
access-list Allowin permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list Allowin deny ip any any
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu failoverint 1500
mtu ecdmz 1500
mtu intf4 1500
mtu intf5 1500
ip address outside *.*.*.* 255.255.255.240
ip address inside 10.1.1.254 255.255.255.0
ip address failoverint 192.168.1.1 255.255.255.0
ip address ecdmz 10.1.4.254 255.255.255.0
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 64.221.*.*
failover ip address inside 10.1.1.253
failover ip address failoverint 192.168.1.2
failover ip address ecdmz 10.1.4.253
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
failover link failoverint
pdm history enable
arp timeout 14400
global (outside) 1 64.221.*.*
nat (inside) 0 access-list 123
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (ecdmz) 1 0.0.0.0 0.0.0.0 0 0
access-group Allowin in interface outside
route outside 0.0.0.0 0.0.0.0 64.221.*.* 1
route outside 10.10.0.0 255.255.0.0 64.221.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:dd99ea6763388d9e01119f2ef32a9d80
03-06-2003 09:37 PM
Do:
> access-list 124 permit ip 10.1.4.0 255.255.255.0 10.10.0.0 255.255.255.0
> nat (ecdmz) 0 access-list 124
03-07-2003 04:36 AM
Shouldn't it also be added:
> access-list Allowin permit ip 10.10.0.0 255.255.255.0 10.1.4.0 255.255.255.0
access-list Allowin permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list Allowin deny ip any any
access-group Allowin in interface outside
03-07-2003 08:38 AM
I got everything like you both suggested but still I can't access the servers on the dmz... Also did a clear xlate... No luck... What else do I need to add to the configuration to get it to work?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide