I have a routing problem here with routing in PIX515E version 6.35. I have some Client PCs located in the DMZ interface of the PIX515E, they connect to PIX using Cisco VPN Client (IPSEC VPN), after that these PCs can be routed to access Servers (static route) located behind Internal interfaces of PIX. I have some Servers located remotely having Internet Access, the gateway router remotely connect to PIX Outside Interface (Internet) using IPSEC VPN then routed to inside Interface (static route).
After establishing IPSEC VPN, the Client PCs behind the DMZ interfaces can access Servers located behind Internal Interface of PIX. So do the remote servers. However, the Client PCs cannot access the remote servers.
Just wondering if there is any restriction for the routing in PIX?
Thanks for the answer.
Solved! Go to Solution.
Thanks for posting , sorry for late reply been a bit busy!
I am not to clear about how you are routing your networks , personally I try being more granular in what is routed where when using static routes with large /16s prefixes .
you have l2l vpn for allowing your remote server 172.16.0.199/32 access to inside by your crypto acl as:
access-list Remote_Server permit ip 172.16.0.0 255.255.0.0 host 172.16.0.199
and also you have nat exempt rule as:
nat (inside) 0 access-list nonat
for DMZ resources RA VPN 172.16.45.129 to access far end Server through that L2L VPN from outside interface you would need to allow it in your L2L Tunnel acl in far end as well for the interesting traffic .
Does the far end have access-list for the L2L tunnel is permiting the RA VPN Client Network ID ?
I would also add to your configuration ant exempt rule on dmz interface just as you do with inside interface
nat (dmz) 0 access-list nonat
Let us know how it works out, I will revisit your config and post again a bit later.
From what you have discribed is not a routing issue but instead a restriction, please correct me if I missunderstood.
You said your RA VPN clients connect to your PIX vpn gateway to access resources in DMZ and also in inside interface . You also indicated that you have a remote servers on remote sites (outside) that do also connect to your PIX outside via IPsec VPN and also these servers can connect to inside resources...UP to hear we are fine, your RA VPN clients that connect to your DMZ via Ipsec cannot access remote servers that are connected to outside interface of yur PIX via IPsec, this is like hairpining which is a restriction in code 6.3.5 train.
You need a feature known as same-security-traffic permit intra-interface, also known as hairpining , in which traffic can go out on the same interface in came in , usually for IPsec. This feature was introduced in code 7.x , you would simply need code upgrade from 6.3.5 to 7.x or above to take advantage of this feature. My recomendation upgrade your PIX to ASA , PIX is EOL.
Many thanks for the quick response. I think your understanding is all correct, I will see how it goes after the firmware upgrade.
But could you explain to me the hairpin here? The Client PCs are connected from DMZ interface while the remote server connected from Outside Interface? They are different Interface. Or are we talking about the IPSEC itself a logical interface?