Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access to the DMZ

Status
Not open for further replies.
Maverick8673

Maverick8673

MIS
Mar 15, 2005
141
0
0
US
I am having a slight issue with accessing my dmz servers while using the VPN. The pix is the VPN, dhcp and so on. When I get connected everything outside the DMZ is accessable no issues what so ever. When I try to ping or SSH to a device in the DMZ I get nothing, ping times out as well as ssh. From what I can see all the configs are correct. I have nat transversal enabled. Everything in the access-lists appears to be working. Just can not get to the DMZ while I am using the VPN.
 
Sort by date Sort by votes
That looks like it would work great for pix to pix. I as usual was not too clear on my issue. I am the client connecting to the pix, the pix is the VPN. Once connected I can get to internal resources with out any issues. I can get to my DNS servers, and other servers. I can not however get to any of the dmz devices. When connected I should be able to connect to a DMZ machine.

this is the setup using the cisco vpn client.

Laptop(client)->Pix (VPN)->internal Servers/I can reach these fine
Laptop(client)->Pix (VPN)->DMZ can not reach
 
Upvote 0 Downvote
With just the basic VPN setup you cannot get to the DMZ through your VPN. You will need to change what is considered "interesting traffic" to the VPN to include traffic bound for the DMZ so that it gets encrypted and does not get nat'ed. The config on the website is for pix-to-pix but with a little modification it will work for VPN to DMZ and any other interface on your device. The premise is the same.

If you can post your config, I can let you know what change you need.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Here is the config;

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outlist permit icmp any any echo
access-list outlist permit icmp any any echo-reply

access-list outlist permit ip any 208.159.104.96 255.255.255.224

access-list outlist permit tcp any host 216.54.184.114
access-list outlist permit tcp any host 216.54.184.1

access-list outlist permit tcp any host 63.210.254.183 eq 135
access-list outlist permit tcp any host 63.210.254.183 range 11000 11099
access-list outlist permit tcp any host 63.210.254.185 eq 135
access-list outlist permit tcp any host 63.210.254.185 range 11000 11099
access-list outlist permit tcp any host 63.210.254.189 eq 135
access-list outlist permit tcp any host 63.210.254.189 range 11000 11099

access-list outlist permit tcp any host 66.193.18.66 eq ftp
access-list outlist permit tcp any host 66.193.18.66 range 5100 5800
access-list outlist permit tcp any host 66.193.18.76 eq ftp
access-list outlist permit tcp any host 66.193.18.76 range 5100 5800
access-list outlist permit tcp any host 66.193.18.77 eq ftp
access-list outlist permit tcp any host 66.193.18.77 range 5100 5800

access-list outlist permit udp host 192.168.10.69 host 198.30.92.2 eq ntp
access-list outlist permit udp host 192.168.10.69 host 128.10.252.7 eq ntp
access-list outlist permit udp host 192.168.10.69 host 130.126.24.44 eq ntp

access-list outlist permit udp host 192.168.10.69 host 208.159.104.122 eq domain
access-list outlist permit udp host 192.168.10.70 host 208.159.104.122 eq domain

access-list outlist permit tcp host 192.168.10.77 any eq www

access-list outlist permit tcp host 192.168.10.168 any eq www
access-list outlist permit tcp host 192.168.10.168 any eq https
access-list outlist permit tcp host 192.168.10.160 any eq www
access-list outlist permit tcp host 192.168.10.160 any eq https
access-list outlist permit tcp host 192.168.10.161 any eq www
access-list outlist permit tcp host 192.168.10.161 any eq https
access-list outlist permit tcp host 192.168.10.166 any eq https
access-list outlist permit tcp host 192.168.10.172 any eq www
access-list outlist permit tcp host 192.168.10.172 any eq https
access-list outlist permit tcp host 192.168.10.157 any eq www
access-list outlist permit tcp host 192.168.10.157 any eq https
access-list outlist permit tcp host 192.168.10.167 any eq www
access-list outlist permit tcp host 192.168.10.167 any eq https

access-list outlist permit tcp host 192.168.10.156 host 63.210.254.174 eq https

access-list outlist permit tcp host 192.168.10.147 any eq www
access-list outlist permit tcp host 192.168.10.147 any eq https

access-list outlist permit tcp any any eq www
access-list outlist permit tcp any any eq https

access-list inlist permit icmp any any echo-reply
access-list inlist permit icmp any any time-exceeded


access-list inlist permit tcp any host 66.193.18.66 eq ftp
access-list inlist permit tcp any host 66.193.18.66 range 5100 5800
access-list inlist permit tcp any host 66.193.18.76 eq ftp
access-list inlist permit tcp any host 66.193.18.76 range 5100 5800
access-list inlist permit tcp any host 66.193.18.77 eq ftp
access-list inlist permit tcp any host 66.193.18.77 range 5100 5800

access-list inlist permit tcp any host 66.193.18.75 eq www
access-list inlist permit tcp any host 66.193.18.75 eq https

access-list inlist permit tcp any host 66.193.18.69 eq https

access-list inlist permit tcp any host 66.193.18.70 eq https
access-list inlist permit tcp any host 66.193.18.70 eq www

access-list inlist permit tcp any host 66.193.18.71 eq https

access-list inlist permit tcp any host 66.193.18.72 eq https

access-list inlist permit tcp any host 66.193.18.73 eq https
access-list inlist permit tcp any host 66.193.18.74 eq https

access-list dmz permit icmp any any echo
access-list dmz permit icmp any any echo-reply
access-list dmz permit tcp any host 63.210.254.183 eq 135
access-list dmz permit tcp any host 63.210.254.183 range 11000 11099
access-list dmz permit tcp any host 63.210.254.185 eq 135
access-list dmz permit tcp any host 63.210.254.185 range 11000 11099
access-list dmz permit tcp any host 63.210.254.189 eq 135
access-list dmz permit tcp any host 63.210.254.189 range 11000 11099

access-list dmz permit tcp 208.159.104.96 255.255.255.224 host 192.168.10.86 eq 1433

access-list dmz permit tcp 208.159.104.96 255.255.255.224 host 192.168.10.77 eq www
access-list dmz permit tcp 208.159.104.96 255.255.255.224 host 192.168.10.77 eq https

access-list dmz permit udp host 208.159.104.122 any eq domain
access-list dmz permit tcp host 208.159.104.122 any eq domain
access-list dmz permit tcp host 208.159.104.122 any eq www

access-list dmz permit tcp host 208.159.104.124 host 192.168.10.76 eq www

access-list dmz permit tcp host 208.159.104.124 host 192.168.10.15 eq sqlnet

access-list dmz permit tcp host 208.159.104.124 host 192.168.10.86 eq 1433

access-list dmz permit tcp host 208.159.104.114 host 12.35.100.95 eq https
access-list dmz permit tcp host 208.159.104.114 host 12.35.100.139 eq https

access-list dmz permit tcp host 208.159.104.114 host 192.168.10.90 eq sqlnet

access-list dmz permit tcp host 208.159.104.99 host 192.168.10.83 eq 1433

access-list dmz permit tcp host 208.159.104.99 host 192.168.10.75 eq lotusnotes

access-list dmz permit tcp host 208.159.104.99 host 192.168.10.68 eq www

access-list dmz permit tcp host 208.159.104.99 host 192.168.10.76 eq www

access-list dmz permit tcp host 208.159.104.99 host 192.168.10.15 eq sqlnet

access-list dmz permit tcp host 208.159.104.116 host 192.168.10.15 eq sqlnet

access-list dmz permit tcp host 208.159.104.116 host 192.168.10.90 eq sqlnet


access-list dmz permit tcp host 208.159.104.98 host 192.168.10.83 eq 1433

access-list dmz permit tcp host 208.159.104.98 host 192.168.10.62 eq ftp
access-list dmz permit tcp host 208.159.104.98 host 192.168.10.62 eq netbios-ssn
access-list dmz permit udp host 208.159.104.98 host 192.168.10.62 eq netbios-ns
access-list dmz permit udp host 208.159.104.98 host 192.168.10.62 eq netbios-dgm

access-list dmz permit tcp host 208.159.104.98 host 192.168.10.62 eq 1433

access-list dmz permit tcp host 208.159.104.98 host 192.168.10.15 eq sqlnet

access-list dmz permit tcp host 208.159.104.98 host 192.168.10.72 eq netbios-ssn
access-list dmz permit udp host 208.159.104.98 host 192.168.10.72 eq netbios-ns
access-list dmz permit udp host 208.159.104.98 host 192.168.10.72 eq netbios-dgm

access-list dmz permit tcp host 208.159.104.98 host 192.168.10.75 eq smtp

access-list dmz permit tcp host 208.159.104.98 host 192.168.10.75 eq lotusnotes

access-list dmz permit tcp host 208.159.104.98 host 192.168.10.90 eq sqlnet

access-list dmz permit tcp host 208.159.104.107 host 192.168.10.89 eq sqlnet

access-list dmz permit tcp host 208.159.104.108 host 192.168.10.75 eq lotusnotes

access-list dmz permit tcp host 208.159.104.121 host 213.161.89.20 eq https
access-list dmz permit tcp host 208.159.104.121 host 213.161.89.20 eq www
access-list nonat permit ip 192.168.10.0 255.255.255.0 208.159.104.96 255.255.255.224
access-list nonat permit ip 192.168.10.0 255.255.255.0 host 66.193.18.66
access-list nonat permit ip 192.168.10.0 255.255.255.0 host 66.193.18.76
access-list nonat permit ip 192.168.10.0 255.255.255.0 host 66.193.18.77
access-list nonat permit ip any 10.10.10.0 255.255.255.0

access-list 111 permit icmp any any
pager lines 24
logging on
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
logging host inside 192.168.10.159
logging host inside 192.168.10.172
logging host inside 192.168.10.154
logging host inside 192.168.10.153
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 66.193.18.65 255.255.255.192
ip address inside 192.168.10.78 255.255.255.0
ip address dmz 208.159.104.97 255.255.255.224
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 10.10.10.1-10.10.10.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,inside) tcp 208.159.104.114 https 208.159.104.114 8443 netmask 255.255.255.255 0 0
static (dmz,inside) tcp 208.159.104.124 https 208.159.104.124 8443 netmask 255.255.255.255 0 0
static (dmz,inside) tcp 208.159.104.99 https 208.159.104.99 8443 netmask 255.255.255.255 0 0
static (dmz,inside) tcp 208.159.104.116 https 208.159.104.116 8443 netmask 255.255.255.255 0 0
static (dmz,inside) tcp 208.159.104.110 https 208.159.104.110 8443 netmask 255.255.255.255 0 0
static (dmz,outside) tcp 66.193.18.69 https 208.159.104.99 8443 netmask 255.255.255.255 0 0
static (dmz,outside) tcp 66.193.18.71 https 208.159.104.110 8443 netmask 255.255.255.255 0 0
static (dmz,outside) tcp 66.193.18.72 https 208.159.104.114 8443 netmask 255.255.255.255 0 0
static (dmz,outside) tcp 66.193.18.73 https 208.159.104.124 8443 netmask 255.255.255.255 0 0
static (dmz,outside) tcp 66.193.18.74 https 208.159.104.116 8443 netmask 255.255.255.255 0 0
static (inside,outside) 10.215.101.0 access-list policynat-nat2 0 0
static (dmz,outside) 10.215.100.96 access-list policynat-nat1 0 0
static (dmz,inside) 66.193.18.66 208.159.104.123 netmask 255.255.255.255 0 0
static (dmz,outside) 66.193.18.66 208.159.104.123 netmask 255.255.255.255 0 0
static (dmz,outside) 66.193.18.70 208.159.104.108 netmask 255.255.255.255 0 0
static (dmz,outside) 66.193.18.75 208.159.104.98 netmask 255.255.255.255 0 0
static (dmz,inside) 66.193.18.79 208.159.104.125 netmask 255.255.255.255 0 0
static (dmz,outside) 66.193.18.79 208.159.104.125 netmask 255.255.255.255 0 0
static (dmz,inside) 66.193.18.76 208.159.104.111 netmask 255.255.255.255 0 0
static (dmz,outside) 66.193.18.76 208.159.104.111 netmask 255.255.255.255 0 0
static (dmz,outside) 66.193.18.78 208.159.104.114 netmask 255.255.255.255 0 0
static (dmz,inside) 66.193.18.77 208.159.104.100 netmask 255.255.255.255 0 0
static (dmz,outside) 66.193.18.77 208.159.104.100 netmask 255.255.255.255 0 0
access-group inlist in interface outside
access-group outlist in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 66.193.18.1 1
route inside 204.194.127.0 255.255.255.0 192.168.10.254 1
route inside 207.169.53.53 255.255.255.255 192.168.10.254 1
route inside 207.169.53.207 255.255.255.255 192.168.10.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 192.168.10.69 S3cr3tK3y timeout 5
aaa-server local protocol tacacs+
aaa-server local max-failed-attempts 3
aaa-server local deadtime 10
url-server (inside) vendor websense host 192.168.10.87 timeout 20 protocol TCP version 4
filter url except 192.168.10.77 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 208.159.104.96 255.255.255.224 0.0.0.0 0.0.0.0
filter url except 0.0.0.0 0.0.0.0 208.159.104.96 255.255.255.224
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
ntp server 198.30.92.2 source outside prefer
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpn-3des esp-3des esp-md5-hmac
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto dynamic-map dynamap 50 set transform-set vpn-3des
crypto map vpn 20 ipsec-isakmp
crypto map vpn 20 match address
crypto map vpn 20 set peer 63.210.254.254
crypto map vpn 20 set transform-set strong
crypto map vpn 199 ipsec-isakmp dynamic dynamap
crypto map vpn client authentication partnerauth
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 63.210.254.254 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup COCU address-pool VPNPool
vpngroup COCU dns-server 192.168.10.69 192.168.10.70
vpngroup COCU wins-server 192.168.10.69 192.168.10.70
vpngroup COCU default-domain corpone.org
vpngroup COCU idle-time 1800
vpngroup COCU password ********
vpngroup AFS-Tmp address-pool VPNPool
vpngroup AFS-Tmp dns-server 192.168.10.69 192.168.10.70
vpngroup AFS-Tmp wins-server 192.168.10.69 192.168.10.70
vpngroup AFS-Tmp default-domain corpone.org
vpngroup AFS-Tmp idle-time 1800
vpngroup AFS-Tmp password ********
vpngroup OSI-Tmp address-pool VPNPool
vpngroup OSI-Tmp dns-server 192.168.10.69 192.168.10.70
vpngroup OSI-Tmp wins-server 192.168.10.69 192.168.10.70
vpngroup OSI-Tmp default-domain
vpngroup OSI-Tmp idle-time 1800
vpngroup OSI-Tmp password ********
telnet 192.168.0.0 255.255.0.0 inside
telnet 207.169.53.53 255.255.255.255 inside
telnet 208.159.104.96 255.255.255.224 dmz
telnet timeout 10
ssh 63.210.254.195 255.255.255.255 outside
ssh 192.168.0.0 255.255.0.0 inside
ssh 208.159.104.96 255.255.255.224 dmz
ssh timeout 10
 
Upvote 0 Downvote
SuperGrrover, Mav-

I don’t think the vpn client scenario uses "interesting traffic" rule the same way as site to site

However the nonat ACL needs to be correct to allow the traffic to move
And there needs to be a nat 0 on the DMZ interface referencing it

Code: 
access-list nonatdmz permit ip 208.159.104.96 255.255.255.224 10.10.10.0 255.255.255.0
*this will allow that VPN client access to the entire DNZ subnet, but you get the idea

You are missing you nonat on the DMZ
Code: 
nat (dmz) 0 access-list nonatdmz

Hope it helps


 
Upvote 0 Downvote
Thank you very much, always helps to have a second, or third pair of eyes...its working, cant believe I missed that. Thanks again.
 
Upvote 0 Downvote
Glad it's up.

br0ck,
Just a question - how does the pix know to encrypt the traffic for the DMZ back to the vpn client? (Does the dynamic mapping take that into account?)



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
The only documentation I have seen on this references the nonat statement as the only designation of “interesting traffic” for the client. I think the usage of the vpngroup, its associated ip pool, nonat statement with the nat 0 the pix knows that it is the correct traffic to encrypt.

Sorry I don’t have a clear answer other that it works


 
Upvote 0 Downvote
Its the best answer I've heard.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
138
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
116
nnaarrnn
nnaarrnn
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
167
Shmid
Shmid
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
53
kythri
kythri

Part and Inventory Search

Sponsor

Back
Top