03-06-2007 01:12 PM - edited 02-21-2020 01:26 AM
Hi.
I have the following problem.I have created a new VPN user on Cisco ACS and allowed him access through downloadable ACL to a server in our inside network and server on the DMZ network.He can ping and access server in our inside network but cannot ping or access the server in DMZ.
Here is the configuration.
On the PIX:
access-list DMZ-NONAT permit ip 192.168.254.0 255.255.255.0 192.168.252.128 255.255.255.128
ip local pool Users2 192.168.252.193-192.168.252.222
nat (DMZ) 0 access-list DMZ-NONAT
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 10.64.8.20 xxxx timeout 20
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.64.8.20 xxxx timeout 20
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa accounting match 151 outside RADIUS
aaa accounting match 150 outside TACACS+
vpngroup myVpnGroup address-pool Users2
vpngroup myVpnGroup dns-server 10.64.8.20
vpngroup myVpnGroup split-tunnel nat0_2
vpngroup myVpnGroup idle-time 1800
vpngroup myVpnGroup max-time 86400
Cisco ACS ACL:
permit ip any host 10.64.8.166 - server on the inside network
permit ip any host 192.168.254.166 - server on the DMZ network
permit icmp any host 10.64.8.166
permit icmp any host 192.168.254.166
deny ip any any
Any advice?
Solved! Go to Solution.
03-06-2007 01:53 PM
03-06-2007 01:24 PM
Do you have the subnet 192.168.254.0 in the split tunnel ACL ?
HTH,
-Kanishka
03-06-2007 01:33 PM
Part of the nat0_2 ACL:
access-list nat0_2 permit ip 192.168.254.0 255.255.255.0 192.168.252.0 255.255.255.0
I'm rather new to the PIX configuration so any advice will be useful.
03-06-2007 01:53 PM
Do you have any Access group applied on the DMZ interface ?
-Kanishka
03-06-2007 02:21 PM
Found this in the DMZ ACL:
access-list DMZ_access_in6 deny icmp 192.168.254.0 255.255.255.0 192.168.252.0 255.255.255.0
That explains why there isn't any ping and that I'll have to read even more carefully the large PIX ACL configuration I inherited.Thanks for the direction.
Anything in there you see that could cause any other problem?
BTW I'll add 2 more lines to downloadable ACL that will permit user to access the servers using remote desktop.
03-07-2007 02:28 AM
Hi,
If the ACL's are in place, I guess you are good to go.
*Please rate if the post helped.
-Kanishka
03-08-2007 04:19 AM
Everything works fine now.I added extra lines in the ACS ACL and didn't have any additional problems.
Thanks for your help Kanishka.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide