I have gone through posts on the forum for allowing VPN access to a DMZ host but I am missing something and hoping another set of fresh eyes will spot the issue.  Basically, need a VPN profile to allow vendor to access one host in the DMZ.  The VPN will connect but I can't access the host. Here's the config and yes its an old Pix 515 running version 7.2(5) - will be getting new firewalls soon.

Thanks,

Gary

PIX Version 7.2(5)

!

!

interface Ethernet0

nameif outside

security-level 0

ip address xxxx 255.255.255.252

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.254.254 255.255.255.0

!

interface Ethernet2

nameif dmz

security-level 50

ip address 10.1.1.1 255.255.255.0

!

same-security-traffic permit inter-interface

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit ip 10.254.253.0 255.255.255.0 host 10.1.1.28

access-list inside_outbound_nat0_acl extended permit ip 192.168.254.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list inside_outbound_nat0_acl extended permit ip 192.168.254.0 255.255.255.0 10.254.253.0 255.255.255.0

access-list hvac_splittunnel standard permit host 10.1.1.28

access-list dmz_nat0_outbound extended permit ip host 10.1.1.28 10.254.253.0 255.255.255.0

ip local pool hvac 10.254.253.1-10.254.253.50 mask 255.255.255.0

nat-control

global (outside) 1 interface

nat (inside) 1 192.168.254.0 255.255.255.0

nat (dmz) 0 access-list dmz_nat0_outbound

nat (dmz) 1 10.1.1.0 255.255.255.0

static (dmz,outside) xxxxxx 10.1.1.2 netmask 255.255.255.255

static (dmz,outside) xxxxxx 10.1.1.3 netmask 255.255.255.255

static (inside,dmz) 192.168.254.0 192.168.254.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxxxxxx 1

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 86400

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

management-access inside

dhcpd dns 208.67.222.222 208.67.220.220

dhcpd ping_timeout 750

!

dhcpd address 192.168.254.100-192.168.254.200 inside

dhcpd enable inside

!

group-policy hvac internal

group-policy hvac attributes

vpn-idle-timeout 30

vpn-session-timeout 1440

split-tunnel-policy tunnelspecified

split-tunnel-network-list value hvac_splittunnel

username hvac password xxxx encrypted

tunnel-group DefaultRAGroup general-attributes

authentication-server-group (outside) RADIUS

tunnel-group hvac type ipsec-ra

tunnel-group hvac general-attributes

address-pool hvac

default-group-policy hvac

tunnel-group hvac ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!