PIX - VPN users accessing a host which is Static NATed

jiehong.lim · ‎09-28-2005

Hi,

I have a server connecting to the PIX DMZ interface with the IP of 172.17.1.1.

This server is translated to an Inside IP 10.1.1.1 and to an Outside internet routable IP.

When VPN users connect from outside, they want to access the DMZ server via the 10.1.1.1 IP not the 172 IP.

They are able to connect to any host on the inside but unable to connect to the translated IP.

Has anyone encountered such an issue ?

This is the static statement.

static (dmz,inside) 10.1.1.1 172.17.1.1 netmask 255.255.255.255

My Networks

Inside : 10.1.1.0/24

DMZ : 172.17.1.0/24

VPN Pool : 192.168.0.0/24

PIX 7.0

itchampnz · ‎09-28-2005

it sounds to me like a basic routing or nat issue, what are the pix logs indicating as the error ?

CSCO10685980 · ‎10-13-2005

Hey,

I have the same problem did you solved it??

Please help?

thx

Laptom

I have problem like that:

I hava two localozation

A - central with PIX:

IP LAN-A= 12.0.0.0/8

WAN IP Internet=11.0.0.2/8

DMZ=13.0.0.0/8 -server IP=13.0.0.2/8

B- Remote router 2600:

Localization B

IP LAN-B=10.0.0.0/8

IP WAN=11.0.0.1/8

Vpn is working correctly. Host from network 10.0.0.0/8(behind router) can ping through vpn host in inside zone (12.0.0.0/8) behind PIX.

In DMZ I have a server 13.0.0.2 and I want hosts(like 10.0.0.0/8) by vpn get access to this server in DMZ, but i cant.

show run:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX

access-list VPN permit ip 12.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

access-list ICMP permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 11.0.0.2 255.0.0.0

ip address inside 12.0.0.1 255.0.0.0

ip address dmz 13.0.0.1 255.0.0.0

global (outside) 1 interface

global (inside) 22 12.0.0.15-12.0.0.30 netmask 255.0.0.0

global (dmz) 1 13.0.0.10-13.0.0.20 netmask 255.0.0.0

nat (inside) 0 access-list VPN

nat (inside) 1 12.0.0.0 255.0.0.0 0 0

nat (dmz) 2 13.0.0.0 255.0.0.0 0 0

static (dmz,inside) 12.0.0.10 13.0.0.2 netmask 255.255.255.255 0 0 access-group ICMP in interface dmz

route outside 0.0.0.0 0.0.0.0 11.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set SET ah-md5-hmac esp-des

crypto ipsec transform-set SZYFROWANIE ah-md5-hmac esp-des

crypto map MAPA 100 ipsec-isakmp

crypto map MAPA 100 match address VPN

crypto map MAPA 100 set peer 11.0.0.1

crypto map MAPA 100 set transform-set SET

crypto map MAPA interface outside

isakmp enable outside

isakmp key ******** address 11.0.0.1 netmask 255.255.255.255

isakmp policy 100 authentication pre-share

isakmp policy 100 encryption des

isakmp policy 100 hash md5

isakmp policy 100 group 2

isakmp policy 100 lifetime 10000

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

jackko · ‎10-13-2005

static (dmz,inside) 10.1.1.1 172.17.1.1 netmask 255.255.255.255

as the command sugguested, the translation is between the dmz and the inside interfaces. it only works when the packet originated from the inside, not the vpn clinet from the outside.

i.harvey · ‎04-15-2010

I have just started a new post for this (sorry) - what configuration is required to enable VPN users to access the DMZ using the NATed address? (or is this impossible?)