Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
432
Views
0
Helpful
3
Replies

VPN users can't access DMZ

brent.smith
Level 1
Level 1

‎03-11-2003 08:41 AM - edited ‎02-21-2020 12:24 PM

I setup VPN access for one of my customers on a PIX 515. The PIX 515 has three interfaces that support and Outside, DMZ, and Inside networks. VPN users are able to access the inside networks but are unable to access the DMZ network. I pasted a copy of the PIX VPN config below (changing ip and vpngroup names). Please review and tell me what I am missing that is preventing DMZ access for VPN users.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

access-list 120 permit ip 172.25.0.0 255.255.0.0 172.24.0.0 255.255.0.0

access-list 120 permit ip 172.24.0.0 255.255.0.0 172.25.0.0 255.255.0.0

access-list 120 permit ip 172.25.0.0 255.255.0.0 172.25.0.0 255.255.0.0

access-list 120 permit ip 172.24.0.0 255.255.0.0 172.24.0.0 255.255.0.0

access-list 120 permit ip host 172.24.102.13 any

access-list 120 permit ip 172.29.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 120 permit ip 192.168.2.0 255.255.255.0 172.24.0.0 255.255.255.0

access-list 120 permit ip 172.25.0.0 255.255.0.0 192.168.2.0 255.255.255.0

access-list 120 permit ip 172.24.0.0 255.255.0.0 192.168.2.0 255.255.255.0

access-list 120 permit ip 192.168.2.0 255.255.255.0 172.29.1.0 255.255.255.0

access-list 120 permit ip 192.168.2.0 255.255.255.0 172.25.0.0 255.255.0.0

access-list 120 permit ip 192.168.2.0 255.255.255.0 172.24.0.0 255.255.0.0

access-list 120 permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 120 permit ip 172.29.1.0 255.255.255.0 any

access-list 120 permit ip 172.25.100.0 255.255.255.0 172.24.201.0 255.255.255.0

access-list 120 permit ip 172.25.100.0 255.255.255.0 172.24.202.0 255.255.255.0

access-list 120 permit ip 172.24.101.0 255.255.255.0 172.24.201.0 255.255.255.0

access-list 120 permit ip 172.24.101.0 255.255.255.0 172.24.202.0 255.255.255.0

access-list 120 permit ip 172.24.201.0 255.255.255.0 172.25.100.0 255.255.255.0

access-list 120 permit ip 172.24.202.0 255.255.255.0 172.25.100.0 255.255.255.0

access-list 120 permit ip 172.24.201.0 255.255.255.0 172.24.101.0 255.255.255.0

access-list 120 permit ip 172.24.201.0 255.255.255.0 172.25.200.0 255.255.255.0

access-list 120 permit ip 172.24.202.0 255.255.255.0 172.25.200.0 255.255.255.0

access-list 120 permit ip 172.25.200.0 255.255.255.0 172.24.201.0 255.255.255.0

access-list 120 permit ip 172.25.200.0 255.255.255.0 172.25.202.0 255.255.255.0

access-list 120 permit ip 172.25.36.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 120 permit ip 192.168.2.0 255.255.255.0 172.25.36.0 255.255.255.0

access-list 120 permit ip 172.25.100.0 255.255.255.0 172.25.36.0 255.255.255.0

access-list 120 permit ip 172.25.36.0 255.255.255.0 172.25.100.0 255.255.255.0

access-list 201 permit ip 172.25.100.0 255.255.255.0 172.24.201.0 255.255.255.0

access-list 201 permit ip 172.25.100.0 255.255.255.0 172.24.202.0 255.255.255.0

access-list 201 permit ip 172.24.101.0 255.255.255.0 172.24.201.0 255.255.255.0

access-list 201 permit ip 172.24.101.0 255.255.255.0 172.24.202.0 255.255.255.0

access-list 201 permit ip 172.24.201.0 255.255.255.0 172.25.100.0 255.255.255.0

access-list 201 permit ip 172.24.202.0 255.255.255.0 172.25.100.0 255.255.255.0

access-list 201 permit ip 172.24.201.0 255.255.255.0 172.24.101.0 255.255.255.0

access-list 201 permit ip 172.24.201.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 201 permit ip 192.168.2.0 255.255.255.0 172.24.201.0 255.255.255.0

access-list 201 permit ip 172.24.202.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 201 permit ip 192.168.2.0 255.255.255.0 172.24.202.0 255.255.255.0

access-list 201 permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 201 permit ip 172.24.202.0 255.255.255.0 172.24.101.0 255.255.255.0

access-list 201 permit ip 172.24.201.0 255.255.255.0 172.25.200.0 255.255.255.0

access-list 201 permit ip 172.24.202.0 255.255.255.0 172.25.200.0 255.255.255.0

access-list 201 permit ip 172.25.200.0 255.255.255.0 172.24.201.0 255.255.255.0

access-list 201 permit ip 172.25.200.0 255.255.255.0 172.25.202.0 255.255.255.0

access-list 201 permit ip 172.25.200.0 255.255.255.0 172.24.202.0 255.255.255.0

access-list 201 permit ip 192.168.2.0 255.255.255.0 172.25.36.0 255.255.255.0

access-list 201 permit ip 172.25.36.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 201 permit ip 172.25.100.0 255.255.255.0 172.25.36.0 255.255.255.0

access-list 201 permit ip 172.25.36.0 255.255.255.0 172.25.100.0 255.255.255.0

access-list vpn-dmz-acl permit ip 172.25.36.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list vpn-dmz-acl permit ip 192.168.2.0 255.255.255.0 172.26.36.0 255.255.255.0

ip local pool vpn 192.168.2.1-192.168.2.100

nat (inside) 0 access-list 120

nat (dmz) 0 access-list vpn-dmz-acl

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set corpusers esp-des esp-md5-hmac

crypto dynamic-map corpusers 10 set transform-set corpusers

crypto dynamic-map bob_home 20 set transform-set corpusers

crypto map corp 5 ipsec-isakmp

crypto map corp 5 match address 201

crypto map corp 5 set peer 216.52.251.65

crypto map corp 5 set transform-set corpusers

crypto map corp 15 ipsec-isakmp dynamic corpusers

crypto map corp client configuration address initiate

crypto map corp client configuration address respond

crypto map corp client authentication AuthIPSec

crypto map corp interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp key ******** address 216.52.251.65 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup dns-server idle-time 1800

vpngroup corpusers address-pool vpn

vpngroup corpusers dns-server 172.25.100.10 172.25.100.11

vpngroup corpusers wins-server 172.25.100.10 172.25.100.11

vpngroup corpusers split-tunnel 120

vpngroup corpusers idle-time 1800

vpngroup corpusers password

Labels:
0 Helpful
3 Replies 3

pcguru1964
Level 1
Level 1

‎03-11-2003 09:00 AM

at a glance it looks like you need split tunneling

i have a config entry:

"access-list vpngroup_splitTunnelAcl permit ip interface_DMZ 255.255.255.0 any"

my understanding is that if you do not have a split tunnel, the vpn can only connect to one subnet.

0 Helpful

brent.smith
Level 1
Level 1
In response to pcguru1964

‎03-11-2003 09:34 AM

Thanks..However, in the config that I pasted split-tunnel is configured...

access-list 120 permit ip 172.25.36.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 120 permit ip 192.168.2.0 255.255.255.0 172.25.36.0 255.255.255.0

vpngroup corpusers split-tunnel 120

0 Helpful

shannong
Level 4
Level 4
In response to brent.smith

‎03-11-2003 10:16 AM

For starters, I recommend you separate your access-list for nat 0 (inside) traffic and the split-tunnel access-list. It's confusing and overly permissive. Also, you have redundant entries in there where entries with larger masks are already covered by entries with smaller masks.

When making split-tunnel entries, you only need to specifiy the traffic that lives behind in the Pix as the source as not as the destination. For exmaple, this is all you need for split-tunnel ACL to allow connections to the DMZ:

access-list 120 permit ip 172.25.36.0 255.255.255.0 192.168.2.0 255.255.255.0

The second entry you have accomplished nothing for split-tunneling, and actually may be causing a problem:

access-list 120 permit ip 192.168.2.0 255.255.255.0 172.25.36.0 255.255.255.0

0 Helpful
Customers Also Viewed These Support Documents