https://community.cisco.com/t5/network-security/vpn-client-cannot-access-server-on-dmz/m-p/709651#M1054308 <HTML><HEAD></HEAD><BODY><P>Everything works fine now.I added extra lines in the ACS ACL and didn't have any additional problems.</P><P></P><P>Thanks for your help Kanishka. </P></BODY></HTML> Thu, 08 Mar 2007 12:19:34 GMT IgorHamzic 2007-03-08T12:19:34Z https://community.cisco.com/t5/network-security/vpn-client-cannot-access-server-on-dmz/m-p/709645#M1054292 <P>Hi.</P><P></P><P>I have the following problem.I have created a new VPN user on Cisco ACS and allowed him access through downloadable ACL to a server in our inside network and server on the DMZ network.He can ping and access server in our inside network but cannot ping or access the server in DMZ.</P><P></P><P>Here is the configuration.</P><P></P><P>On the PIX:</P><P></P><P>access-list DMZ-NONAT permit ip 192.168.254.0 255.255.255.0 192.168.252.128 255.255.255.128 </P><P></P><P>ip local pool Users2 192.168.252.193-192.168.252.222</P><P></P><P>nat (DMZ) 0 access-list DMZ-NONAT</P><P></P><P>aaa-server TACACS+ protocol tacacs+ </P><P>aaa-server TACACS+ (inside) host 10.64.8.20 xxxx timeout 20</P><P>aaa-server RADIUS protocol radius </P><P>aaa-server RADIUS (inside) host 10.64.8.20 xxxx timeout 20</P><P>aaa-server LOCAL protocol local </P><P>aaa-server AuthInbound protocol radius </P><P>aaa accounting match 151 outside RADIUS</P><P>aaa accounting match 150 outside TACACS+</P><P></P><P>vpngroup myVpnGroup address-pool Users2</P><P>vpngroup myVpnGroup dns-server 10.64.8.20</P><P>vpngroup myVpnGroup split-tunnel nat0_2</P><P>vpngroup myVpnGroup idle-time 1800</P><P>vpngroup myVpnGroup max-time 86400</P><P></P><P>Cisco ACS ACL:</P><P></P><P>permit ip any host 10.64.8.166 - server on the inside network</P><P>permit ip any host 192.168.254.166 - server on the DMZ network</P><P>permit icmp any host 10.64.8.166</P><P>permit icmp any host 192.168.254.166</P><P>deny ip any any</P><P></P><P>Any advice?</P> Fri, 21 Feb 2020 09:26:10 GMT https://community.cisco.com/t5/network-security/vpn-client-cannot-access-server-on-dmz/m-p/709645#M1054292 IgorHamzic 2020-02-21T09:26:10Z https://community.cisco.com/t5/network-security/vpn-client-cannot-access-server-on-dmz/m-p/709646#M1054295 <HTML><HEAD></HEAD><BODY><P>Do you have the subnet 192.168.254.0 in the split tunnel ACL ?</P><P></P><P>HTH,</P><P></P><P>-Kanishka</P></BODY></HTML> Tue, 06 Mar 2007 21:24:02 GMT https://community.cisco.com/t5/network-security/vpn-client-cannot-access-server-on-dmz/m-p/709646#M1054295 kaachary 2007-03-06T21:24:02Z https://community.cisco.com/t5/network-security/vpn-client-cannot-access-server-on-dmz/m-p/709647#M1054299 <HTML><HEAD></HEAD><BODY><P>Part of the nat0_2 ACL:</P><P></P><P>access-list nat0_2 permit ip 192.168.254.0 255.255.255.0 192.168.252.0 255.255.255.0 </P><P></P><P>I'm rather new to the PIX configuration so any advice will be useful.</P></BODY></HTML> Tue, 06 Mar 2007 21:33:29 GMT https://community.cisco.com/t5/network-security/vpn-client-cannot-access-server-on-dmz/m-p/709647#M1054299 IgorHamzic 2007-03-06T21:33:29Z https://community.cisco.com/t5/network-security/vpn-client-cannot-access-server-on-dmz/m-p/709648#M1054302 <HTML><HEAD></HEAD><BODY><P>Do you have any Access group applied on the DMZ interface ?</P><P></P><P>-Kanishka</P><P></P><P></P></BODY></HTML> Tue, 06 Mar 2007 21:53:50 GMT https://community.cisco.com/t5/network-security/vpn-client-cannot-access-server-on-dmz/m-p/709648#M1054302 kaachary 2007-03-06T21:53:50Z https://community.cisco.com/t5/network-security/vpn-client-cannot-access-server-on-dmz/m-p/709649#M1054304 <HTML><HEAD></HEAD><BODY><P>Found this in the DMZ ACL:</P><P></P><P>access-list DMZ_access_in6 deny icmp 192.168.254.0 255.255.255.0 192.168.252.0 255.255.255.0</P><P></P><P>That explains why there isn't any ping and that I'll have to read even more carefully the large PIX ACL configuration I inherited.Thanks for the direction.</P><P></P><P>Anything in there you see that could cause any other problem?</P><P></P><P>BTW I'll add 2 more lines to downloadable ACL that will permit user to access the servers using remote desktop.</P></BODY></HTML> Tue, 06 Mar 2007 22:21:53 GMT https://community.cisco.com/t5/network-security/vpn-client-cannot-access-server-on-dmz/m-p/709649#M1054304 IgorHamzic 2007-03-06T22:21:53Z https://community.cisco.com/t5/network-security/vpn-client-cannot-access-server-on-dmz/m-p/709650#M1054305 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If the ACL's are in place, I guess you are good to go. </P><P></P><P>*Please rate if the post helped.</P><P></P><P>-Kanishka</P></BODY></HTML> Wed, 07 Mar 2007 10:28:38 GMT https://community.cisco.com/t5/network-security/vpn-client-cannot-access-server-on-dmz/m-p/709650#M1054305 kaachary 2007-03-07T10:28:38Z https://community.cisco.com/t5/network-security/vpn-client-cannot-access-server-on-dmz/m-p/709651#M1054308 <HTML><HEAD></HEAD><BODY><P>Everything works fine now.I added extra lines in the ACS ACL and didn't have any additional problems.</P><P></P><P>Thanks for your help Kanishka. </P></BODY></HTML> Thu, 08 Mar 2007 12:19:34 GMT https://community.cisco.com/t5/network-security/vpn-client-cannot-access-server-on-dmz/m-p/709651#M1054308 IgorHamzic 2007-03-08T12:19:34Z