The above solution is not the fix. I can ping the host on the DMZ but I cannot establish any tcp or udp connection. I thought I got the fix but I am wrong. I need urgent input. S.O.S.

Actually , you are very close to find the fix:

combining 150 and 160 into one access-list and apply to inside and dmz interface as well as the split-tunnel access-list.

The fix is as below:

access-list 150 permit ip "inside network" "vpn client pool"

access-list 150 permit ip "dmz network" "vpn client pool"

nat (inside) 0 access-list 150

nat (dmz) 0 access-list 150

vpngroup "name" split-tunnel 150

Best Regards,

This is the configuration I had. I can ping the host IP on the DMZ but I cannot open any TCP/UDP session like WWW, VNC or TFTP. I can do this with host on the INSIDE. The only service from the VPN Cleint to the DMZ is ICMP Ping.

Would you kindly check the access-list applied to the DMZ interface ?

If you can ping the host in DMZ, that means something block the traffic in the DMZ interface.

If you like, you can upload the PIX config and we have a check for you.

Best Regards,

Thanks. Below is the config. I think the problem has to do with "Asymmetric Routing" which is not supported on the PIX. When the Clients initiate a VPN connection the Client is virtualy put on the Inside network so when the PIX Firewall detects the same connection arriving on a perimeter interface, the PIX Firewall has more than one path to a destination. The PIX thinks an attacker is attempting to append packets from one connection to another as a way to break into the PIX Firewall and drops the connection.

:

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol domain 53

names

access-list 101 permit ip 1.1.2.0 255.255.255.0 172.16.2.0 255.255.255.0

access-list 101 permit ip 1.1.1.0 255.255.255.0 172.16.2.0 255.255.255.0

access-list acl_inbound permit tcp any host 64.8.42.101 eq www

access-list acl_inbound permit udp any host 64.8.42.98 eq tftp

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 64.8.42.100 255.255.255.240

ip address inside 1.1.2.100 255.255.255.0

ip address dmz 1.1.1.100 255.255.255.0

ip local pool remote 172.16.2.1-172.16.2.254

global (outside) 2 64.8.42.109

nat (inside) 0 access-list 101

nat (inside) 2 1.1.2.0 255.255.255.0 0 0

nat (dmz) 0 access-list 101

static (inside,dmz) 1.1.2.0 1.1.2.0 netmask 255.255.255.0 0 0

static (dmz,outside) 64.8.42.98 1.1.1.98 netmask 255.255.255.255 0 0

static (dmz,outside) 64.8.42.101 1.1.1.101 netmask 255.255.255.255 0 0

access-group acl_inbound in interface outside

route outside 0.0.0.0 0.0.0.0 64.8.42.97 1

crypto ipsec transform-set remoteset esp-des esp-md5-hmac

crypto dynamic-map remote 2 set transform-set remoteset

crypto map mymap 2 ipsec-isakmp dynamic remote

crypto map mymap client configuration address initiate

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local remote outside

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption des

isakmp policy 8 hash md5

isakmp policy 8 group 2

isakmp policy 8 lifetime 86400

vpngroup xxx address-pool remote

vpngroup xxx dns-server

vpngroup xxx wins-server

vpngroup xxx default-domain

vpngroup xxx split-tunnel 101

vpngroup xxx idle-time 2100

vpngroup xxx password ********