Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN access to PIX on DMZ

Hi,

I think I'm doing something fairly obvious but hopefully someone can point it out. 

We have a PIX 515 with an IPSEC VPN configured.  Connecting to the VPN from the outside interface works fine using the outside interface IP and connecting to the VPN using the DMZ interface IP is okay.

What we'd like is to have DMZ users (who are typically wireless in the building) to use the same DNS name to connect from the DMZ as they would from the outside.  When they try to connect to the outside IP, it fails.

Is there some specific ACL or NAT entry required?

Thanks

3 REPLIES

Re: VPN access to PIX on DMZ

don't understand your question. Could you please explain it in detail?

New Member

Re: VPN access to PIX on DMZ

Our PIX has 3 interfaces, inside, outside, dmz

interface Ethernet0

nameif outside

security-level 0

ip address 10.20.0.10 255.255.255.192

ospf cost 10

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.252

ospf cost 10

!

interface Ethernet2

nameif dmz

security-level 4

ip address 192.168.2.1 255.255.255.0

ospf cost 10

We are doing static NAT for some server and have an IPSEC VPN configured on the PIX. Beyond the PIX, there is a secondary NAT done on a router to map the 10.20.XX to Internet accessible IP's.   Users from the outside network connect to the Internet IP address, which translated to the 10.20.0.10 and are able to authenticate and establish the tunnel fine.
On the DMZ, we have users connected (via WIFI).  They are not able to DNS lookup the public IP of the PIX, just the outside one 10.20.0.10.  When they attempt to connect to this IP, it fails.  If they instead connect to the external public IP, it works. 
I also tried attempting to use the DMZ IP, 192.168.2.1 as the VPN endpoint but it doesn't work either. 
The outside interface seems to have a  NAT for the vpn network
nat (outside) 1 vpn-net 255.255.255.0
whereas no other interface does.
In terms of the VPN crypto map, I do see
crypto map CS interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable dmz
For tunnel-group I see
tunnel-group CS general-attributes
address-pool vpn
authentication-server-group (outside) partnerauth
authentication-server-group (dmz) partnerauth

Re: VPN access to PIX on DMZ

If you would like the VPN for DMZ user to terminated on dmz interface, you need apply the related crypto map to dmz interface like what you did on outside interface. You DMZ user must be able to reach dmz interface IP "192.168.2.1". I am not sure how your DMZ user is connected to your network.

400
Views
0
Helpful
3
Replies
CreatePlease login to create content