Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member



I'm currently having a vpn router on the outside that assigns ip addresses from network for clients, for the inside I have the network and network for the dmz, I have inside and dmz talking to each other using nat 0, with an access-list applied to the inside interface for vpn I can get network to talk to network. I'm trying to config the pix so that the vpn clients can also see the network, please help.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 failoverint security55

nameif ethernet3 ecdmz security80

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

enable password 75uLIS.m0wq8Es8C encrypted

passwd s6ti98OBT7n.eIs7 encrypted

hostname ec-pixfw1.1

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol smtp 25


access-list 123 permit ip

access-list Allowin permit ip

access-list Allowin deny ip any any

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

mtu outside 1500

mtu inside 1500

mtu failoverint 1500

mtu ecdmz 1500

mtu intf4 1500

mtu intf5 1500

ip address outside *.*.*.*

ip address inside

ip address failoverint

ip address ecdmz

ip address intf4

ip address intf5

ip audit info action alarm

ip audit attack action alarm


failover timeout 0:00:00

failover poll 15

failover ip address outside 64.221.*.*

failover ip address inside

failover ip address failoverint

failover ip address ecdmz

failover ip address intf4

failover ip address intf5

failover link failoverint

pdm history enable

arp timeout 14400

global (outside) 1 64.221.*.*

nat (inside) 0 access-list 123

nat (inside) 1 0 0

nat (ecdmz) 1 0 0

access-group Allowin in interface outside

route outside 64.221.*.* 1

route outside 64.221.*.* 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet inside

telnet timeout 5

ssh timeout 5

terminal width 80


Cisco Employee

Re: VPN and DMZ


> access-list 124 permit ip

> nat (ecdmz) 0 access-list 124

New Member

Re: VPN and DMZ

Shouldn't it also be added:

> access-list Allowin permit ip

access-list Allowin permit ip

access-list Allowin deny ip any any

access-group Allowin in interface outside

New Member

Re: VPN and DMZ

I got everything like you both suggested but still I can't access the servers on the dmz... Also did a clear xlate... No luck... What else do I need to add to the configuration to get it to work?