already did...but still cannot get what i wanted..especially on the access list that i've to build..in order for the access..

What kind of access do you need (smtp, http, ...) from where to where (inside, dmz, ...)? Is it possible to post the access-list you already have?

Kind Regards,

Tom

I'll have a stab at it, i think your config will be along the lines of:

Allow internal users to access internet using PAT to the public address assigned to the outside interface

----

# global (outside) 1 interface

# nat (inside) 1 0 0

To permit HTTP traffic to a host on the DMZ from the outside:

----

# static (dmz,outside) netmask 255.255.255.255

# access-list outside_in permit tcp any host eq http

# access-group outside_in in interface outside

To permit IPSEC to VPN Gateway on DMZ:

----

# sysopt connection permit-ipsec

# static (dmz,outside) netmask 255.255.255.255

To permit outbound VPN connections

----

# global (outside) 2

# nat (dmz) 255.255.255.255

The "sysopt connection permit-ipsec" command will allow all packets from an IPSEC tunnel to bypass ACL checking so you don't need to build an access list for this.

I'm sure you'll be permitting other ports to your DMZ, these can be added to the access-list outside_in.

HTH

PJD

Hi,

I have a few remarks :-)

° sysopt connection permit-ipsec

This only works if the vpn tunnel is TO the PIX (so the pix is the vpn gateway) and not THROUGH the pix (in your case).

So you need to add access-list entries to the outside-in access-list to allow the vpn traffic (udp/500 for ike, esp or UDP encap for encrypted data)from the outside to the dmz.

° static (dmz,outside) netmask 255.255.255.255

This works in both direction, so you don't need:

global (outside) 2

nat (dmz) 255.255.255.255

Kind Regards,

Tom

Hi Tom,

Thanks for the remarks :)

Are you sure about the syslopt comment, i thought it would allow IPSEC pass through aswell.

Have a look here:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter09186a00801aed85.html#1034087

Thanks

Paddy

Hi Paddy,

I am quite sure.

Somewhere in the link you posted, you will find this:

"To enable IPSec authenticated/cipher inbound sessions to always be permitted, use the sysopt connection permit-ipsec command."

The PIX can only be sure that the session is autheticated if the PIX is also the endpoint of the VPN tunnel.

If it is still not working, you should consider to enable logging to see what packets are denied. More info on how to setup syslogging can be found here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094030.shtml

Hope this helps?

Kind Regards,

Tom

Thanks Tom,

It's confusing because the link also says:

Note If the sysopt connection permit-ipsec command is not configured, you must explicitly configure an access-list command statement to permit IPSec traffic to traverse the PIX Firewall.

I can't really test it as i don't have a PIX at the mo :(

Thanks

Paddy

Hi,

in order for the vpn traffic to bypass, which one i should use??

should i create a static nat to the vpn box, and then create an accesslist to permit the vpn traffic??

Thanks.

I think Tom is correct, i've done some more reading on the sysopt command however if you can i would still try using it out of curiosity.

Other than that you need to have access-lists as:

For AH

---

PIX1(config)# access-list outside_access_in permit 50 any host

For ESP

---

PIX1(config)# access-list outside_access_in permit 51 any

For both ESP and AH (IKE)

PIX1(config)# access-list outside_access_in permit udp host eq 500

HTH

PJD