Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

a problem about pix dmz and vpn

Hi netpro:

I have some trouble when I config a pix515 for vpn client. the vpn client can establish with pix and it get a address from pix pool ,but the client can't ping the hosts in the dmz and pix's dmz interface.

the config :

vpn# sh run

: Saved


PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security90

nameif ethernet3 intf3 security6

enable password xxx

passwd xxx

hostname vpn


access-list 120 permit host 23.x.x.43

access-list 120 permit host 23.x.x.2

access-list acl_dmz permit tcp any any eq telnet

access-list acl_dmz permit icmp any any

access-list 102 permit ip 211.x.x.0

pager lines 24

logging console emergencies

logging monitor emergencies

logging buffered emergencies

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu intf3 1500

ip address outside 211.x.x.2xx

ip address inside 23.1.x.x.255.248.0

ip address dmz

no ip address intf3

ip verify reverse-path interface dmz

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool mask

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

no failover ip address intf3

pdm history enable

arp timeout 14400

global (outside) 1

nat (inside) 1 0 0

nat (inside) 1 0 0

nat (inside) 1 23.1.x.x.255.255.255 0 0

nat (inside) 1 23.1.x.x.255.255.255 0 0

nat (dmz) 0 access-list 102

access-group acl_dmz in interface dmz

conduit permit icmp any any

route outside 0.0.x.x.99.71.254 1

route dmz 23.1.0.x.x.0.0 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

crypto ipsec transform-set comacset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set comacset

crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

crypto map vpnmap client configuration address initiate

crypto map vpnmap client configuration address respond

crypto map vpnmap client authentication LOCAL

crypto map vpnmap interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp identity address

isakmp client configuration address-pool local vpnpool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup mobilevpn address-pool vpnpool

vpngroup mobilevpn dns-server

vpngroup mobilevpn idle-time 900

vpngroup mobilevpn password ********

telnet 23.1.x.x.255.255.255 inside

telnet 23.1.x.x.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

Cisco Employee

Re: a problem about pix dmz and vpn


No wonder you are not able to ping the dmz int from the VPN client. You do not have man dmz commnd in the PIX.

man or management-access command makes an interface accessible for the VPN client Or ipsec tunnel for telnet,snmp etc. without this the interface is never pingable because the traffic is coming from the outside.

It looks like the inside network does not have a router to back to the dmz int.

You have mixed and matched the configuration of VPN client with Cisco Secure VPN client (old) with Cisco VPN 3000 Client (new). If you have downloaded the vpn client recently then it has to be Cisco VPN 3000 client.

Please clean the configuration

Sysopt pl-compatible is a dangerous command for IPSEC to be in the configuration. It is for older pix os rather newer 6.3.x it will make the natting part and ASA features of the PIX os useless for the IPSEC traffic. You do not need that.

Also you do not need

crypto map vpnmap client configuration address initiate

crypto map vpnmap client configuration address respond

isakmp key ******** address netmask

This is for older VPN clients.

The isa key * address 0 netmask 0 is also used for dynamic to static IPSEC L2L tunnels but i do not see any Dynamic L2L tunnels in the configuration as well.

Please clean the configuration.

In summary:

You would need man dmz to ping the dmz int.

You would need a route in the network for pointing to dmz int of the pix to talk to the clients.

Always remove the passwords from the configuration before posting.



New Member

Re: a problem about pix dmz and vpn

Hi Vikas, thank your help , I resolved the probelm .

Cisco Employee

Re: a problem about pix dmz and vpn


How did you solve it?



CreatePlease to create content