Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

W2k VPN server in DMZ - clients are getting no answer

We configured a VPN server in a DMZ off PIX 515. The server has one NIC and we can ping outside clients and inside hosts including the DC and DNS servers. However the clients are still getting NO answer. My ACL is:

access-list 100 permit gre any host x.x.x.x

access-list 100 permit tcp any host x.x.x.x eq 1723

access-list 100 permit udp any host x.x.x.x eq 1723

access-list 100 permit udp any host x.x.x.x eq isakmp

access-list 100 permit udp any host x.x.x.x eq 1701

Do I need any other ports open? Protocols? Any suggestions would be appreciated... Thx

1 REPLY
Bronze

Re: W2k VPN server in DMZ - clients are getting no answer

Hi,

If you have "sysopt connection permit-ipsec" command on your pix, that should take care of ESP traffic as well.

Make sure that you have "nat (dmz) 0 access-list ACL###" command on your pix as well to bypass NAT for ipsec traffic(returning to the vpn clients).

your Server on DMZ should point to PIX as its default GW as well.

Thx

Afaq

78
Views
0
Helpful
1
Replies
CreatePlease to create content