Core issue
The VPN Client can communicate to inside hosts but not to hosts on the Demilitarized Zone (DMZ). Network Address Translation (NAT) needs to be disabled on the DMZ interface.
Resolution
Add nonat config for the DMZ interface. For example, assume this configuration:
ip address inside 10.1.1.1 255.255.255.0
ip address dmz 172.16.1.1 255.255.255.0
ip local pool vpn_pool 192.168.1.1-192.168.1.254
access-list split_tunnel permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list split_tunnel
Enter these commands:
- access-list split_tunnel permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
- nat (dmz) 0 access-list split_tunnel
To configure and apply Split tunnel on PIX/ASA version 7.x refer to Split-Tunnel Configuration example
For more information on configuring the PIX Firewall for VPN Client connectivity, refer to Configuring VPN Client Remote Access .