04-04-2006 10:08 AM - edited 02-21-2020 02:21 PM
I have users utilizing a VPN 3000, trying to route through a PIX 515 firewall to get to our network. They can authenticate to the Concentrator, but not get through to our network. On the PIX, I have ethernet2 labeled VPN and ehternet3 labeled DMZ. I think there's something missing in the translation. This was someone else's project and I have it now. The PIX is configured with IP's, and some access-list statements, and that's about it. I've attached a simple little diagram, if it helps. Any assistance would be greatly appreciated. Thank you in advance.
04-04-2006 10:21 AM
I would start be checking the access list on the pix.
04-04-2006 11:03 AM
Thank you very much for your prompt response. I see this command, and I'm not sure what is source and what is destination:
access-list vpn extended permit ip 172.16.0.0 255.255.255.0 10.0.16.0 255.255.255.0
Thank you for your time. I just get confused when dealing with access-lists...
04-04-2006 12:02 PM
This acl line is allowing traffic from source network of 172.16.0.0/24 to a destination network of 10.0.16.0/24.
I am assuming this acl is applied to the interface of which the VPN concentrator is connected. Is there another acl tide to the other interface that allows the return traffic? Has this ever worked before or is this a new project? Which interface has a higher security number level?
04-04-2006 12:12 PM
Yes, it is applied to the VPN interface.
There is another acl applied to the DMZ interface, however it is not as specific. It encompasses the 10.0.0.0 network.
This is a new project, and the DMZ interface has the higher security level than the VPN.
This static line is also in config:
static (VPN,DMZ) 172.16.0.0 172.16.0.0 netmask 255.255.255.0
Does this help?
Thank you very much!
04-04-2006 12:20 PM
What exactly does the acl on the dmz interface state? Have you checked the route table on the concentrator and the pix to ensure that they know where to forward traffic to?
04-04-2006 12:51 PM
The routing tables looks good, that's probably why it's confusing me. Here is the DMZ acl statement:
access-list DMZ extended permit tcp 10.0.16.0 255.255.255.0 any
Thanks again!
04-04-2006 11:53 PM
Hello,
I'm going to start from scratch and not pay attention to the previous posts. I'm assuming that you want to pass the traffic from the 172.16.0.0/24 network to the 10.0.16.0/24 network without haveing to hide the 10.0.16.0 address's from the 172.16.0.0 vpn hosts.
The following requriments are needed ACL incomming on the DMZ interface. NAT statement telling the 10.0.16.0 network not to change its address to the DMZ and if there is an ACL in the inside interface to permit traffic to the DMZ.
Specific commands to use:
static (inside, dmz) 10.0.16.0 10.0.16.0 mask 255.255.255.0 !This gives the dmz unaltered access to 10.0.16.0 network
access-list DMZ_IN permit ip 172.16.0.0 255.255.255.0 10.0.16.0 255.255.255.0
!This line will allow the VPN DMZ devices to initiate connections to the 10.0.16 servers with.
access-list INSIDE_IN permit 10.0.16.0 255.255.255.0 172.16.0.0 255.255.255.0
!This will allow the servers to iniate connections to the DMZ 172.16.0.x devices
If you have any more questions just let us know
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide