Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cannot access DMZ through VPN

Status
Not open for further replies.

robrichardson

Programmer
Mar 14, 2001
86
GB
Hi there

Having a slight problem granting access to the DMZ for a remote office which is connected via a vpn tunnel. All clients in the Head Office can access the DMZ which is an additional interface on a 515E. The remote offices can access the inside interface at head office although not the DMZ interface. The addresses are:

Head Office (inside) - 192.168.3.0/24
Remote Office - 192.168.7.0/24, 192.168.5.0/24 etc.
DMZ 10.0.1.0/27

Here are the configs:

Head Office:

PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security25
nameif ethernet3 NCC security50
nameif ethernet4 intf4 security20
nameif ethernet5 standby security80
hostname Norwich515
domain-name nps.co.uk
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.3.251 NPSMONITOR
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.60.0 255.255.255.

access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 10.0.1.0 255.255.255.224
access-list nonat permit ip 192.168.0.0 255.255.0.0 10.0.1.0 255.255.255.224
access-list luton permit ip 192.168.3.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list luton permit ip 192.168.8.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list kingston permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list kingston permit ip 192.168.8.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list lewes permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list lewes permit ip 192.168.8.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list NCCin permit ip 192.168.8.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list NCCin permit ip 192.168.8.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list NCCin permit ip 192.168.8.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list NCCin permit ip 192.168.8.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list NCCin permit ip 192.168.60.0 255.255.255.0 192.168.3.0 255.255.255.

access-list NCCnat permit ip 192.168.8.0 255.255.255.0 192.168.5.0 255.255.255.

access-list NCCnat permit ip 192.168.8.0 255.255.255.0 192.168.4.0 255.255.255.

access-list NCCnat permit ip 192.168.8.0 255.255.255.0 192.168.7.0 255.255.255.

access-list NCCnat permit ip host 192.168.1.152 host 10.0.1.12
access-list NCCnat permit ip host 192.168.1.125 192.168.3.0 255.255.255.0
access-list NCCnat permit ip host 192.168.1.125 192.168.6.0 255.255.255.0
access-list Essex permit ip 192.168.8.0 255.255.255.0 192.168.60.0 255.255.255.

access-list Essex permit ip 192.168.3.0 255.255.255.0 192.168.60.0 255.255.255.

access-list DMZin permit icmp host 10.0.1.12 host NPSMONITOR
access-list DMZin permit icmp host 10.0.1.10 host NPSMONITOR
access-list DMZin permit tcp host 10.0.1.10 host 192.168.3.100 eq ldap
access-list DMZin permit tcp host 10.0.1.10 host 192.168.3.100 eq 3268
access-list DMZin permit tcp host 10.0.1.10 host 192.168.3.100 eq 88
access-list DMZin permit udp host 10.0.1.10 host 192.168.3.100 eq domain
access-list DMZin permit ip host 10.0.1.10 192.168.0.0 255.255.0.0
access-list yarmouth permit ip 192.168.3.0 255.255.255.0 192.168.6.0 255.255.252.0
access-list insideout permit tcp host 192.168.3.40 any eq www
access-list insideout permit ip 10.0.1.0 255.255.255.224 192.168.0.0 255.255.0.2

access-list insideout permit tcp host 192.168.3.249 any eq www
access-list insideout permit tcp host 192.168.3.245 any eq www
access-list insideout permit tcp host 192.168.3.217 any eq www
access-list insideout permit tcp host 192.168.3.248 any eq www
access-list insideout permit tcp host 192.168.3.246 any eq www
access-list insideout deny tcp any any eq www
access-list insideout permit ip 192.168.0.0 255.255.0.0 any
access-list outin permit tcp any host 10.0.2.5 eq smtp
access-list outin permit tcp any host 10.0.2.7 eq www
access-list outin deny ip any any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu NCC 1500
mtu intf4 1500
mtu standby 1500
ip address outside 10.0.2.2 255.255.255.224
ip address inside 192.168.3.254 255.255.255.0
ip address DMZ 10.0.1.1 255.255.255.224
ip address NCC 192.168.1.4 255.255.255.0
ip address intf4 127.0.0.1 255.255.255.255
ip address standby 10.0.3.1 255.255.255.224
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 5
failover replication http
failover ip address outside 10.0.2.4
failover ip address inside 192.168.3.253
failover ip address DMZ 10.0.1.2
failover ip address NCC 192.168.1.6
no failover ip address intf4
failover ip address standby 10.0.3.2
failover link standby
pdm location 192.168.3.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 10.0.2.6
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (NCC) 0 access-list NCCnat
nat (NCC) 1 192.168.8.0 255.255.255.0 0 0
static (DMZ,outside) 10.0.2.7 10.0.1.10 netmask 255.255.255.255 0 0
static (DMZ,outside) 10.0.2.8 10.0.1.12 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.2.5 192.168.3.150 netmask 255.255.255.255 0 0
access-group outin in interface outside
access-group insideout in interface inside
access-group DMZin in interface DMZ
access-group NCCin in interface NCC
route outside 0.0.0.0 0.0.0.0 10.0.2.1 1
route NCC 192.168.8.0 255.255.255.0 192.168.1.2 1
route NCC 192.168.60.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.0 255.255.255.0 inside
floodguard enable
sysopt connection permit-ipsec
service resetinbound
crypto ipsec transform-set 3DES-Secure esp-3des esp-md5-hmac
crypto map VPNtunnel 10 ipsec-isakmp
crypto map VPNtunnel 10 match address lewes
crypto map VPNtunnel 10 set peer 81.x.x.x
crypto map VPNtunnel 10 set transform-set 3DES-Secure
crypto map VPNtunnel 20 ipsec-isakmp
crypto map VPNtunnel 20 match address kingston
crypto map VPNtunnel 20 set peer 217.x.x.x
crypto map VPNtunnel 20 set transform-set 3DES-Secure
crypto map VPNtunnel 30 ipsec-isakmp
crypto map VPNtunnel 30 match address luton
crypto map VPNtunnel 30 set peer 81.x.x.x
crypto map VPNtunnel 30 set transform-set 3DES-Secure
crypto map VPNtunnel 40 ipsec-isakmp
crypto map VPNtunnel 40 match address Essex
crypto map VPNtunnel 40 set peer 81.x.x.x
crypto map VPNtunnel 40 set transform-set 3DES-Secure
crypto map VPNtunnel 50 ipsec-isakmp
crypto map VPNtunnel 50 match address yarmouth
crypto map VPNtunnel 50 set peer 81.x.x.x
crypto map VPNtunnel 50 set transform-set 3DES-Secure
crypto map VPNtunnel interface outside
isakmp enable outside
isakmp key ******** address 81.x.x.x netmask 255.255.255.255
isakmp key ******** address 217.x.x.x netmask 255.255.255.255
isakmp key ******** address 81.x.x.x netmask 255.255.255.255
isakmp key ******** address 81.x.x.x netmask 255.255.255.255
isakmp key ******** address 81.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
management-access inside
console timeout 0
terminal width 80
banner motd NPS Property Consultants Ltd
banner motd If you are not authorised to access this equipment please leave imm
diately.

Example Remote Site (luton)

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 144ZEl0vAs6RxNb3 encrypted
passwd Sckm.aJJlvAMVD3j encrypted
hostname Luton506E
domain-name nps-property.co.uk
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 192.168.7.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list nonat permit ip 192.168.7.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat permit ip 192.168.7.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat permit ip 192.168.7.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat permit ip 192.168.7.0 255.255.255.0 192.168.60.0 255.255.255.

access-list Norwich permit ip 192.168.7.0 255.255.255.0 192.168.3.0 255.255.255
0
access-list Norwich permit ip 192.168.7.0 255.255.255.0 192.168.8.0 255.255.255
0
access-list Lewes permit ip 192.168.7.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list Kingston permit ip 192.168.7.0 255.255.255.0 192.168.5.0 255.255.25
.0
access-list Essex permit ip 192.168.7.0 255.255.255.0 192.168.60.0 255.255.255.

pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 81.x.x.x 255.255.255.248
ip address inside 192.168.7.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 81.x.x.x
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 81.178.27.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
floodguard enable
sysopt connection permit-ipsec
service resetinbound
crypto ipsec transform-set 3DES-Secure esp-3des esp-md5-hmac
crypto map VPNtunnel 10 ipsec-isakmp
crypto map VPNtunnel 10 match address Norwich
crypto map VPNtunnel 10 set peer 80.x.x.x
crypto map VPNtunnel 10 set transform-set 3DES-Secure
crypto map VPNtunnel 20 ipsec-isakmp
crypto map VPNtunnel 20 match address Lewes
crypto map VPNtunnel 20 set peer 81.x.x.x
crypto map VPNtunnel 20 set transform-set 3DES-Secure
crypto map VPNtunnel 30 ipsec-isakmp
crypto map VPNtunnel 30 match address Kingston
crypto map VPNtunnel 30 set peer 217.x.x.x
crypto map VPNtunnel 30 set transform-set 3DES-Secure
crypto map VPNtunnel 40 ipsec-isakmp
crypto map VPNtunnel 40 match address Essex
crypto map VPNtunnel 40 set peer 81.x.x.x
crypto map VPNtunnel 40 set transform-set 3DES-Secure
crypto map VPNtunnel interface outside
isakmp enable outside
isakmp key ******** address 217.x.x.x netmask 255.255.255.255
isakmp key ******** address 81.x.x.x netmask 255.255.255.255
isakmp key ******** address 81.x.x.x netmask 255.255.255.255
isakmp key ******** address 80.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 192.168.7.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
management-access inside
console timeout 0
terminal width 80


Any help would be greatly appreciated

 
you have not defined 'interesting' traffic to and from the DMZ in any of your access lists. I think you need NAT 0 on the DMZ also


hq office

access-list nonat permit ip 10.0.1.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list luton permit ip 10.0.1.0 255.255.255.0 192.168.7.0 255.255.255.0


Luton


access-list nonat permit ip 192.168.7.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list Norwich permit ip 192.168.7.0 255.255.255.0 10.0.1.0 255.255.255.0

 
Well that kind of worked although Im getting a strange problem. If I start a continuous ping from HQ to Luton and start a ping from Luton to the DMZ, the HQ ping works for about 2mins and the luton ping to the DMZ doesn't however after about two mins it switches over (the HQ ping doesn't get through however the DMZ ping does).

It seems to have something to do with applying a nat 0 statement to the DMZ interface. I firstly tried:

nat (DMZ) 0 access-li nonat (the same access-list as what is applied to the inside int)

and the problems started.

I then thought that I could try a new access-list with a different name with the same source/dest and apply that to the DMZ interface.

The ping from HQ worked no problems and doesn't start to time out however Im still unable to get to the DMZ from luton.


Hmmmm....
 
Never experienced what you are describing but here is what I would start looking at.

1) Did you clear the tunnels, clear cry is sa, clear cry ip sa after changing the access lists? (or remove/reapply the map on the interface or simply just reboot the firewalls.)

2) Look at the counters of the sho cry ip sa command. Is it showing errors, and are the errors incrementing when your pings are failing?
 
I've cleared the tunnels on both PIX and the same is happening. I also had a look at the counters and the no of packets encrypted/decrypted is incrementing of the tunnel to the DMZ however the no of errors remains at 0 so it seems the pings are getting through

 


1) debug icmp trace on the firewalls, that will allow you to see the traffic passing through them both and give you a good idea as to where it is getting lost/blocked.

2) add a permit ICMP statement as the first line in the nat 0 and site trigger ACL's so you can see if they are incrementing.






 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top