Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
4
Replies

Client Vpn access to DMZ hosts

Go to solution
mlawson
Level 1
Level 1

‎04-07-2004 06:29 PM - edited ‎02-21-2020 01:06 PM

I am having an issue where my clients who establish a vpn connection with at Pix 515 can not access the hosts on the DMZ. The VPN clients can access the hosts on the inside network without any problem. I have discovered that when I do a trace route from a client machine that has established a VPN connection to a host on the DMZ it tries to go through the computers default gateway instead of the cisco client. Any Ideas?

More Information:

When a client connects with the PIX via VPN it is handed the internal DNS servers and on the internal DNS server we have a host entry that says "www.whatever.com" 2.2.2.2 (this is the DMZ host). The clients on the inside of the network can access this host with out problems it is just the clients that establish a VPN connection. But the VPN Clients can access "www.whatever.com" by using it public ip address. The problem is if we remove the host entry on the DNS server so that the name "www.whatever.com" resolves to the public ip the inside clients will not be able to access the DMZ host. Names and IP numbers are not the real ones just using those as an example.

Any help would be apperciated. Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎04-13-2004 06:50 PM

You'll currently have something like this in your config:

access-list nonat permit ip

nat (inside) 0 access-list nonat

This tells the PIX not to NAT any traffic coming from the inside interface that is to go to a VPN client. You need the same thing but for the DMZ interface, so add the following:

access-list nonat permit ip

nat (dmz) 0 access-list nonat

That should get you going.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎04-13-2004 06:50 PM

You'll currently have something like this in your config:

access-list nonat permit ip

nat (inside) 0 access-list nonat

This tells the PIX not to NAT any traffic coming from the inside interface that is to go to a VPN client. You need the same thing but for the DMZ interface, so add the following:

access-list nonat permit ip

nat (dmz) 0 access-list nonat

That should get you going.

0 Helpful

Go to solution
falain
Level 1
Level 1
In response to gfullage

‎04-14-2004 06:03 AM

I just did what you say.

I have the same ACL for Inside and DMZ.

If I use PDM on pix, it says it can't parse my config because of the same ACL for these 2 Nat 0 statements.

So I must create 2 different ACL one for each interface.

0 Helpful

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to falain

‎04-15-2004 05:57 PM

OK, so change it to be a different ACL with the following:

access-list nonatdmz permit ip

nat (dmz) 0 access-list nonatdmz

and PDM should be happy.

0 Helpful

Go to solution
mlawson
Level 1
Level 1
In response to gfullage

‎04-19-2004 01:35 PM

Thank you. I added the and the nat and all is working.

0 Helpful
Customers Also Viewed These Support Documents