Cisco Support Community
Community Member

VPN client access to DMZ

We have a PIX 515E running IOS 6.3 with 3 interfaces (inside, dmz & outside).

The inside network is / 24, and the DMZ is /24. All VPN clients are assigned addresses in the range to

Connecting via the Cisco VPN client, we can access all PC's on the 192.168.1.x network. All PC's on the 192.168.1.x network can access the web server on the DMZ ( However, using the VPN client we cannot connect to the web server on the DMZ. We can telnet to from a command prompt to port 3389 - Terminal Services, but cannot connect using the Terminal Services client.

ALL addresses on the "inside" network are NAT'd to 172.16.1.x addresses when connecting to the DMZ - this works find for all 192.168.1.x PC's - but does not seem to work for 192.168.10.x addresses assigned to VPN clients. We also have an ACL excluding 192.168.1.x to 192.168.10.x traffic from being NAT'd.

Any ideas.


Re: VPN client access to DMZ

Can you telnet to port 80 from a command prompt? When you try to access the webserver via http and TS, are you trying via ip or hostname?

When users connect to the vpn, can they access the outside interface as well - surf the web, etc?

Community Member

Re: VPN client access to DMZ

I have just discovered that my local network (from which I am using to connect to the PIX via Cisco VPN client) also has a machine - hence the response to Telnet requests !!

If I connect to the PIX, all Internet traffic appears to bypass the VPN tunnel and go out of the default gateway on my local LAN.

It's almost as if the VPN client is not aware of a route to the network, although it is aware of the network.

Community Member

Re: VPN client access to DMZ

It sounds like your Split Tunnel ACL only includes the one network. You should take a look and verify that the ACL you have defined for your VPN Client's is listing both networks.

You can find the ACL that's being referenced for VPN Clients under the vpngroup configuration.

Ie: vpngroup group1 split-tunnel group1_ACL

You'll also want to include the other network in the ACL that's defined for NAT exlusion.

Hope that helps..

Community Member

Re: VPN client access to DMZ

Thanks for your reply.

The VPN clients are assigned addresses on the 192.168.10.x network. The internal network is 192.168.1.x. The DMZ network is 172.16.1.x. Should the VPN clients be assigned addresses on the 192.168.1.x network ??

I have configured the split-tunnel ACL to allow traffic as follows :

192.168.1.x to 192.168.10.x

192.168.10.x to 172.16.1.x

172.16.1.x to 192.168.10.x

There is also a NAT (inside) 0 split-tunnel ACL statement.

However, I still cant access the DMZ machines using their 172.16.1.x addresses via the VPN client. All 192.168.1.x PC's can access the DMZ machines.

Community Member

Re: VPN client access to DMZ

try to do this:

access-list split permit ip

vpngroup xxxxxxxx split-tunnel split

try to debug packet on dmz

Community Member

Re: VPN client access to DMZ


Did you ever get this issue resolved?

I am interested in knowing what was the issue with your problem.


CreatePlease to create content