Showing results for 
Search instead for 
Did you mean: 

VPN access to PIX on DMZ

Level 4
Level 4


I think I'm doing something fairly obvious but hopefully someone can point it out. 

We have a PIX 515 with an IPSEC VPN configured.  Connecting to the VPN from the outside interface works fine using the outside interface IP and connecting to the VPN using the DMZ interface IP is okay.

What we'd like is to have DMZ users (who are typically wireless in the building) to use the same DNS name to connect from the DMZ as they would from the outside.  When they try to connect to the outside IP, it fails.

Is there some specific ACL or NAT entry required?


3 Replies 3

Yudong Wu
Level 7
Level 7

don't understand your question. Could you please explain it in detail?

Our PIX has 3 interfaces, inside, outside, dmz

interface Ethernet0

nameif outside

security-level 0

ip address

ospf cost 10


interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address

ospf cost 10


interface Ethernet2

nameif dmz

security-level 4

ip address

ospf cost 10

We are doing static NAT for some server and have an IPSEC VPN configured on the PIX. Beyond the PIX, there is a secondary NAT done on a router to map the 10.20.XX to Internet accessible IP's.   Users from the outside network connect to the Internet IP address, which translated to the and are able to authenticate and establish the tunnel fine.
On the DMZ, we have users connected (via WIFI).  They are not able to DNS lookup the public IP of the PIX, just the outside one  When they attempt to connect to this IP, it fails.  If they instead connect to the external public IP, it works. 
I also tried attempting to use the DMZ IP, as the VPN endpoint but it doesn't work either. 
The outside interface seems to have a  NAT for the vpn network
nat (outside) 1 vpn-net
whereas no other interface does.
In terms of the VPN crypto map, I do see
crypto map CS interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable dmz
For tunnel-group I see
tunnel-group CS general-attributes
address-pool vpn
authentication-server-group (outside) partnerauth
authentication-server-group (dmz) partnerauth

If you would like the VPN for DMZ user to terminated on dmz interface, you need apply the related crypto map to dmz interface like what you did on outside interface. You DMZ user must be able to reach dmz interface IP "". I am not sure how your DMZ user is connected to your network.