Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
0
Helpful
3
Replies

VPN access to PIX on DMZ

acydgod
Level 4
Level 4

‎11-12-2010 10:06 AM

Hi,

I think I'm doing something fairly obvious but hopefully someone can point it out. 

We have a PIX 515 with an IPSEC VPN configured.  Connecting to the VPN from the outside interface works fine using the outside interface IP and connecting to the VPN using the DMZ interface IP is okay.

What we'd like is to have DMZ users (who are typically wireless in the building) to use the same DNS name to connect from the DMZ as they would from the outside.  When they try to connect to the outside IP, it fails.

Is there some specific ACL or NAT entry required?

Thanks

Labels:
0 Helpful
3 Replies 3

Yudong Wu
Level 7
Level 7

‎11-12-2010 02:55 PM

don't understand your question. Could you please explain it in detail?

0 Helpful

acydgod
Level 4
Level 4
In response to Yudong Wu

‎11-12-2010 03:52 PM

Our PIX has 3 interfaces, inside, outside, dmz

interface Ethernet0

nameif outside

security-level 0

ip address 10.20.0.10 255.255.255.192

ospf cost 10

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.252

ospf cost 10

!

interface Ethernet2

nameif dmz

security-level 4

ip address 192.168.2.1 255.255.255.0

ospf cost 10

We are doing static NAT for some server and have an IPSEC VPN configured on the PIX. Beyond the PIX, there is a secondary NAT done on a router to map the 10.20.XX to Internet accessible IP's.   Users from the outside network connect to the Internet IP address, which translated to the 10.20.0.10 and are able to authenticate and establish the tunnel fine.
On the DMZ, we have users connected (via WIFI).  They are not able to DNS lookup the public IP of the PIX, just the outside one 10.20.0.10.  When they attempt to connect to this IP, it fails.  If they instead connect to the external public IP, it works. 
I also tried attempting to use the DMZ IP, 192.168.2.1 as the VPN endpoint but it doesn't work either. 
The outside interface seems to have a  NAT for the vpn network
nat (outside) 1 vpn-net 255.255.255.0
whereas no other interface does.
In terms of the VPN crypto map, I do see
crypto map CS interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable dmz
For tunnel-group I see
tunnel-group CS general-attributes
address-pool vpn
authentication-server-group (outside) partnerauth
authentication-server-group (dmz) partnerauth

0 Helpful

Yudong Wu
Level 7
Level 7
In response to acydgod

‎11-14-2010 10:35 AM

If you would like the VPN for DMZ user to terminated on dmz interface, you need apply the related crypto map to dmz interface like what you did on outside interface. You DMZ user must be able to reach dmz interface IP "192.168.2.1". I am not sure how your DMZ user is connected to your network.

0 Helpful
Customers Also Viewed These Support Documents