https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690252#M1029574 <HTML><HEAD></HEAD><BODY><P>I thought my static (inside,DMZ) 192.168.9.0 192.168.9.0 netmask 255.255.255.0 was doing the same thing?</P></BODY></HTML> Mon, 08 Jan 2007 20:27:02 GMT boshardy1 2007-01-08T20:27:02Z https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690245#M1029561 <P>I am trying to get allow access from a Cisco VPN client into our DMZ (consultant needs to be able to remote in). I thought I had the config right but its still not working. Here is the pertinent config from my pix: The vpn segment is 192.168.9.X</P><P></P><P>access-list DMZ_access_in extended permit ip host 172.28.2.196 host 172.17.0.17 </P><P>access-list DMZ_access_in extended permit ip host 172.28.2.196 host 172.17.0.16 </P><P>access-list DMZ_access_in extended permit icmp host 172.28.2.196 Ethernet 255.255.0.0 </P><P>access-list DMZ_access_in extended permit icmp host 172.28.2.196 192.168.9.0</P><P>access-list DMZ_access_in deny ip any 172.17.0.0 255.255.0.0</P><P>access-list DMZ_access_in permit ip host 172.28.2.196 192.168.9.0 255.255.255.0</P><P></P><P>static (inside,DMZ) 192.168.9.0 192.168.9.0 netmask 255.255.255.0 </P><P>static (inside,DMZ) Ethernet Ethernet netmask 255.255.0.0 </P><P></P><P>nat (DMZ) 1 0 0 </P><P>global (outside) 1 interface</P><P></P><P>static (DMZ,outside) tcp 12.XX.44.237 ftp 172.28.2.195 ftp netmask 255.255.255.255 </P><P>static (DMZ,outside) tcp 12.XX.44.237 www 172.28.2.196 www netmask 255.255.255.255 </P><P>static (DMZ,outside) tcp 12.XX.44.237 https 172.28.2.196 https netmask 255.255.255.255 </P> Mon, 11 Mar 2019 09:16:19 GMT https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690245#M1029561 boshardy1 2019-03-11T09:16:19Z https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690246#M1029563 <HTML><HEAD></HEAD><BODY><P>If you want the VPN users to connect to DMZ you need to allow access on the inside interface, i.e.:</P><P></P><P>access-list inside_access_in permit ip 192.168.9.0 255.255.255.0 host 172.28.2.196</P><P></P><P>Everything else seems to be fine.</P><P></P><P>Please rate if this helped.</P><P></P><P>Regards,</P><P>Daniel</P></BODY></HTML> Sun, 07 Jan 2007 19:55:29 GMT https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690246#M1029563 5220 2007-01-07T19:55:29Z https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690247#M1029565 <HTML><HEAD></HEAD><BODY><P>Hi .. I think you are a bit confused here <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> ..</P><P></P><P>Basically the only thing you need to make sure is that the interesting traffic for IPsec also allows access to the DMZ segment. Traffic to and from the DMZ towards the VPN segment needs to bypass NAT so that they can see each other with its real IP addresses.</P><P></P><P>If you post your config .. without passwords .. You should be able to get help right away ..</P><P></P><P>I hope it helps .. please rate it if it does !!</P><P></P><P></P><P></P><P></P></BODY></HTML> Mon, 08 Jan 2007 04:16:29 GMT https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690247#M1029565 Fernando_Meza 2007-01-08T04:16:29Z https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690248#M1029566 <HTML><HEAD></HEAD><BODY><P>Here is config</P><P></P><P></P><P></P><P> </P><P></P></BODY></HTML> Mon, 08 Jan 2007 14:19:03 GMT https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690248#M1029566 boshardy1 2007-01-08T14:19:03Z https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690249#M1029568 <HTML><HEAD></HEAD><BODY><P>Fernando is right. I looked at the config and there is no acl present that will bypass nat from vpn-pool to dmz-network. It should be in this acl.</P><P></P><P>access-list inside_nat0_outbound extended permit ip any 192.168.9.100 255.255.255.252 </P><P>access-list inside_nat0_outbound extended permit ip object-group Vision_VPN_Servers_Allowed 192.168.9.0 255.255.255.128 </P><P>access-list inside_nat0_outbound extended permit ip host 12.34.44.227 host GE_FTPServer </P><P>access-list inside_nat0_outbound extended permit ip host 12.34.44.227 object-group Schneider_FTP_Servers </P><P>access-list inside_nat0_outbound extended permit ip Ethernet 255.255.0.0 192.168.9.0 255.255.255.0 </P></BODY></HTML> Mon, 08 Jan 2007 19:18:44 GMT https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690249#M1029568 froggy3132000 2007-01-08T19:18:44Z https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690250#M1029570 <HTML><HEAD></HEAD><BODY><P>I thought my static (inside,DMZ) 192.168.9.0 192.168.9.0 netmask 255.255.255.0 was doing the same thing?</P></BODY></HTML> Mon, 08 Jan 2007 19:55:21 GMT https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690250#M1029570 boshardy1 2007-01-08T19:55:21Z https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690251#M1029572 <HTML><HEAD></HEAD><BODY><P>That is not defined what should not be encrypted. Your acl for your encryption domain must specify the interesting networks being accessed. In your case your dmz network. That static is will never process if your encryption domain is not specified correctly.</P></BODY></HTML> Mon, 08 Jan 2007 20:18:07 GMT https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690251#M1029572 froggy3132000 2007-01-08T20:18:07Z https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690252#M1029574 <HTML><HEAD></HEAD><BODY><P>I thought my static (inside,DMZ) 192.168.9.0 192.168.9.0 netmask 255.255.255.0 was doing the same thing?</P></BODY></HTML> Mon, 08 Jan 2007 20:27:02 GMT https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690252#M1029574 boshardy1 2007-01-08T20:27:02Z https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690253#M1029578 <HTML><HEAD></HEAD><BODY><P>access-list inside_nat0_outbound extended permit ip <DMZ-NETWORK> 192.168.9.0 255.255.255.128</DMZ-NETWORK></P><P></P><P>That is not defining what should be encrypted or not. Your acl for your encryption domain must specify the interesting networks being accessed. In your case your dmz network. That static will never process if your encryption domain is not specified correctly.</P></BODY></HTML> Mon, 08 Jan 2007 21:27:27 GMT https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690253#M1029578 froggy3132000 2007-01-08T21:27:27Z https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690254#M1029579 <HTML><HEAD></HEAD><BODY><P>hi .. The VPN tunnel terminates at the outside interface and so that is the interface that the packets are to be routed to when coming back fromn the DMZ ... The IPsec interestesting traffic is OK as it includes all traffic to 192.168.9.0/24 and so I suggest adding a nat 0 </P><P>as below</P><P></P><P></P><P>access-list test extended permit ip any 192.168.9.0 255.255.255.0</P><P>nat (DMZ) 0 access-list test</P><P></P><P>Also are you able to access any internal device at all ..?</P><P>Are you able to successfully establish the tunnel ..?</P><P></P><P></P><P></P><P></P><P></P></BODY></HTML> Mon, 08 Jan 2007 23:30:35 GMT https://community.cisco.com/t5/network-security/dmz-access-from-vpn-client/m-p/690254#M1029579 Fernando_Meza 2007-01-08T23:30:35Z