Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco PIX 515E: VPN access to multiple subnets in DMZ

Status
Not open for further replies.

dave2korg

IS-IT--Management
Feb 25, 2006
102
US
Hey All,

I have a PIX 515E setup at my office, and would like to be able to connect to servers in the DMZ's while on the VPN client. I remember seeing an article posted before, but can't seem to dig it up. Here is a quick breakdown:

Local lan runs on 192.168.1.x subnet
DMZ 1 runs on 10.10.6.x subnet
DMZ 2 runs on 10.10.8.x subnet
etc

From home, I can only connect to servers that are in the 192.168.1.x subnet. Here in the office, anyone thats on the internal network can connect to the servers in the DMZ with no problems. I am assuming I just need to grant the VPN pool access to the DMZ subnets?

Here is my configuration:
PIX Version 7.2(1)

interface Ethernet0
nameif outside
security-level 0
ip address XXXXXXXX 255.255.255.128 standby XXXXXXXXX
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.254
!
interface Ethernet1.1
vlan 44
nameif wirelessSec
security-level 98
ip address 10.10.3.1 255.255.255.0
!
interface Ethernet1.2
vlan 42
nameif wirelessPub
security-level 3
ip address 10.10.5.1 255.255.255.0
!
interface Ethernet2
nameif intf2
security-level 4
ip address 192.168.4.1 255.255.255.0 standby 192.168.4.254
!
interface Ethernet2.2
vlan 36
nameif XXXXXX
security-level 1
ip address 10.10.13.1 255.255.255.0 standby 10.10.13.254
!
interface Ethernet3
nameif sql
security-level 99
ip address 10.10.7.1 255.255.255.0 standby 10.10.7.254
!
interface Ethernet4
nameif XXXXXXX
security-level 10
ip address 10.10.6.1 255.255.255.0 standby 10.10.6.254
!
interface Ethernet5
nameif steel
security-level 90
ip address 10.10.8.1 255.255.255.0 standby 10.10.8.254
!
passwd XXXXXXXXX encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name XXXXXXXXXX
access-list intf2_access_in extended permit icmp any any
access-list intf2_access_in extended permit tcp host DEBIAN host GUARDIAN eq smtp
access-list intf2_access_in extended permit tcp host webservicesnas1 object-group DomainServers object-group DomainPortsTCP
access-list intf2_access_in extended permit udp host webservicesnas1 object-group DomainServers object-group DomainPortsUDP
access-list intf2_access_in extended permit tcp host DEBIAN host DEVSERVER2 eq www
access-list intf2_access_in extended deny ip any 192.168.1.0 255.255.255.0
access-list intf2_access_in extended permit ip any any
access-list intf2_access_in extended permit ip 10.10.3.0 255.255.255.0 any
access-list outside_access_in extended deny ip host 203.129.237.122 any
access-list outside_access_in extended deny ip host 209.67.1.67 any
access-list outside_access_in extended deny icmp any any object-group TimestampInfo
access-list outside_access_in extended permit ip any any
access-list Default_splitTunnelAcl standard permit any
access-list XXXXXXXX_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list XXXXXXXX_splitTunnelAcl standard permit 192.168.4.0 255.255.255.0
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit tcp object-group WEBSERVERS object-group SQLSERVERS eq 1433
access-list inside_access_out extended permit tcp object-group WEBSERVERS host webservices1 eq www
access-list inside_access_out extended permit tcp host DEBIAN host SQLSERVER2 eq 1433
access-list inside_access_out extended permit tcp host webservicesnas1 object-group DomainServers object-group DomainPortsTCP
access-list inside_access_out extended permit udp host webservicesnas1 object-group DomainServers object-group DomainPortsUDP
access-list inside_access_out remark domain to XXXXXXXX dmz
access-list inside_access_out extended permit tcp 10.10.6.0 255.255.255.0 object-group DomainServers object-group DomainPortsTCP
access-list inside_access_out remark domain to XXXXXXXX dmz
access-list inside_access_out extended permit udp 10.10.6.0 255.255.255.0 object-group DomainServers object-group DomainPortsUDP
access-list inside_access_out remark xxxweb to proxy
access-list inside_access_out extended permit udp object-group All_Internal object-group DomainServers eq domain
access-list inside_access_out extended permit tcp object-group All_Internal object-group DomainServers eq domain
access-list inside_access_out extended permit tcp object-group IDA_ref host webservices1 object-group HTTPandSecure
access-list inside_access_out extended permit ip 10.10.3.0 255.255.255.0 any
access-list intf2_access_out extended permit icmp any any
access-list intf2_access_out extended permit tcp any object-group PUBLIC_WEBSERVERS1 object-group HTTPandSecure
access-list intf2_access_out extended permit tcp any object-group PUBLIC_WEBSERVERS1 object-group MMS_TCP
access-list intf2_access_out extended permit udp any object-group PUBLIC_WEBSERVERS1 object-group MMS_UDP
access-list intf2_access_out extended permit tcp any host DEBIAN eq www
access-list intf2_access_out extended permit ip 192.168.0.0 255.255.0.0 any
access-list Server extended permit udp any host DEVSERVER2
access-list XXXXX_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list XXXXXXXX_splitTunnelAcl_2 standard permit 192.168.1.0 255.255.255.0
access-list XXXXXXXX_splitTunnelAcl_3 standard permit 192.168.1.0 255.255.255.0
access-list XXXXXXXX_splitTunnelAcl_3 standard permit 10.10.6.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.64 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.8.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.7.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.6.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.13.0 255.255.255.0
access-list outside_cryptomap extended permit ip any 192.168.1.64 255.255.255.192
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 host 8.6.73.66
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.10.4.0 255.255.255.0
access-list steel_access_out extended permit icmp any any
access-list steel_access_in extended permit ip any any
access-list XXXXXXXX_dmz_access_in extended permit icmp any any
access-list XXXXXXXX_dmz_access_in remark XXXXXXXX dmz to domain
access-list XXXXXXXX_dmz_access_in extended permit tcp 10.10.6.0 255.255.255.0 object-group DomainServers object-group DomainPortsTCP
access-list XXXXXXXX_dmz_access_in remark XXXXXXXX dmz to domain
access-list XXXXXXXX_dmz_access_in extended permit udp 10.10.6.0 255.255.255.0 object-group DomainServers object-group DomainPortsUDP
access-list XXXXXXXX_dmz_access_in remark New Guardian internet access
access-list XXXXXXXX_dmz_access_in extended permit ip host GUARDIAN any
access-list XXXXXXXX_dmz_access_in remark proxy to xxxweb
access-list XXXXXXXX_dmz_access_in extended permit tcp host DEBIAN eq xxxWEB eq www
access-list XXXXXXXX_dmz_access_in remark outside access to headhunter
access-list XXXXXXXX_dmz_access_in extended permit ip host HEADHUNTER any
access-list XXXXXXXX_dmz_access_in extended permit tcp host HEADHUNTER host headhunterv2 eq 3306
access-list XXXXXXXX_dmz_access_in remark atlas internet access
access-list XXXXXXXX_dmz_access_in extended permit ip host ATLAS any
access-list XXXXXXXX_dmz_access_in remark atlas route mail to debian
access-list XXXXXXXX_dmz_access_in extended permit tcp host ATLAS host DEBIAN eq smtp
access-list XXXXXXXX_dmz_access_in extended permit tcp host HEADHUNTER object-group SQLSERVERS eq 1433
access-list XXXXXXXX_dmz_access_out extended permit icmp any any
access-list XXXXXXXX_dmz_access_out remark inside network to any service
access-list XXXXXXXX_dmz_access_out extended permit ip 192.168.1.0 255.255.255.0 any
access-list XXXXXXXX_dmz_access_out remark squirrelmail
access-list XXXXXXXX_dmz_access_out extended permit tcp object-group All_Internal eq DEBIAN eq www
access-list XXXXXXXX_dmz_access_out remark SMTP out from debian
access-list XXXXXXXX_dmz_access_out extended permit tcp object-group All_Internal eq smtp host DEBIAN eq smtp
access-list XXXXXXXX_dmz_access_out remark Internet to Sharepoint(Atlas) rule
access-list XXXXXXXX_dmz_access_out extended permit tcp any host ATLAS eq www
access-list XXXXXXXX_dmz_access_out remark Public FTP server
access-list XXXXXXXX_dmz_access_out extended permit tcp any host ATLAS object-group FTPandFTPData
access-list XXXXXXXX_dmz_access_out remark New Guardian webmail
access-list XXXXXXXX_dmz_access_out extended permit tcp any host GUARDIAN object-group HTTPandSecure
access-list XXXXXXXX_dmz_access_out remark New Guardian Mail Rule
access-list XXXXXXXX_dmz_access_out extended permit tcp any host GUARDIAN object-group Exchange
access-list XXXXXXXX_dmz_access_out extended permit udp any host GUARDIAN object-group RPCExchangeUDP
access-list XXXXXXXX_dmz_access_out extended permit tcp host ATLAS host GUARDIAN eq smtp
access-list XXXXXXXX_dmz_access_out extended permit tcp any host HEADHUNTER object-group ERS
access-list XXXXXXXX_dmz_access_out remark Allow FTP to Headhunter from GM
access-list XXXXXXXX_dmz_access_out extended permit tcp any host ATLAS eq smtp
access-list XXXXXXXX_dmz_access_out extended permit ip 10.10.3.0 255.255.255.0 any
access-list XXXXXXXX_dmz_access_out extended permit tcp 10.10.3.0 255.255.255.0 host GUARDIAN eq 135
access-list client_firewall_out extended permit ip any any
access-list client_firewall_in extended deny ip any any
access-list chatforum_access_out extended permit icmp any any
access-list chatforum_access_out extended permit tcp any host 10.10.13.5 eq www
access-list chatforum_access_out extended permit ip 192.168.1.0 255.255.255.0 host 10.10.13.4
access-list chatforum_access_out extended permit ip 192.168.1.0 255.255.255.0 host 10.10.13.3
access-list chatforum_access_out extended permit ip 192.168.1.0 255.255.255.0 host 10.10.13.5
access-list chatforum_access_in extended permit udp host 10.10.13.5 object-group DomainServers eq domain
access-list chatforum_access_in extended permit tcp host 10.10.13.5 host DEBIAN eq smtp
access-list chatforum_access_in extended permit ip 10.10.13.0 255.255.255.0 any inactive
access-list sql_access_out extended permit icmp any any
access-list sql_access_out extended permit ip 192.168.1.0 255.255.255.0 any
access-list sql_access_in extended permit tcp 10.10.7.0 255.255.255.0 object-group DomainServers object-group DomainPortsTCP
access-list sql_access_in extended permit udp 10.10.7.0 255.255.255.0 object-group DomainServers object-group DomainPortsUDP
access-list wirelessSec_access_out extended deny ip any any
access-list wirelessSec_nat0_outbound extended permit ip 10.10.3.0 255.255.255.0 10.10.6.0 255.255.255.0
mtu outside 1500
mtu inside 1500
mtu wirelessSec 1500
mtu wirelessPub 1500
mtu intf2 1500
mtu chatforum 1500
mtu sql 1500
mtu XXXXXXXX_dmz 1500
mtu steel 1500
ip local pool XXXXXXVPN 192.168.1.90-192.168.1.99 mask 255.255.255.0
ip local pool XXXXXXXX_dmz_vpn 10.10.6.230-10.10.6.240 mask 255.255.255.0
failover
monitor-interface outside
monitor-interface inside
no monitor-interface wirelessSec
no monitor-interface wirelessPub
monitor-interface intf2
no monitor-interface chatforum
monitor-interface sql
monitor-interface XXXXXXXX_dmz
monitor-interface steel
asdm image flash:/asdm-521.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (intf2) 10 interface
global (XXXXXXXX_dmz) 10 interface
global (steel) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 192.168.1.0 255.255.255.0
nat (wirelessSec) 0 access-list wirelessSec_nat0_outbound
nat (wirelessSec) 10 10.10.3.0 255.255.255.0
nat (wirelessPub) 10 0.0.0.0 0.0.0.0 dns
nat (intf2) 10 0.0.0.0 0.0.0.0
nat (XXXXXXXX_dmz) 10 10.10.6.0 255.255.255.0

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group wirelessSec_access_in in interface wirelessSec
access-group wirelessSec_access_out out interface wirelessSec
access-group wirelessPub_access_in_1 in interface wirelessPub
access-group intf2_access_in in interface intf2
access-group intf2_access_out out interface intf2
access-group chatforum_access_in in interface chatforum
access-group chatforum_access_out out interface chatforum
access-group sql_access_in in interface sql
access-group sql_access_out out interface sql
access-group XXXXXXXX_dmz_access_in in interface XXXXXXXX_dmz
access-group XXXXXXXX_dmz_access_out out interface XXXXXXXX_dmz
access-group steel_access_in in interface steel
access-group steel_access_out out interface steel
!
route-map inside_outbound_nat0_acl permit 10
!
route outside 0.0.0.0 0.0.0.0 Cisco3850 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy Default internal
group-policy Default attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Default_splitTunnelAcl
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication enable
user-authentication enable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
group-policy XXXXXXXX internal
group-policy XXXXXXXX attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XXXXXXXX_splitTunnelAcl_3
group-policy xxx internal
group-policy xxx attributes
vpn-filter value xxxACL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server community XXXXXXXX
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 0
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 8.6.73.66
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group XXXXXXXX type ipsec-ra
tunnel-group XXXXXXXX general-attributes
address-pool XXXXXXXXVPN
default-group-policy XXXXXXXX
tunnel-group XXXXXXXX ipsec-attributes
pre-shared-key *
tunnel-group 8.6.73.66 type ipsec-l2l
tunnel-group 8.6.73.66 ipsec-attributes
pre-shared-key *
tunnel-group xxx type ipsec-ra
tunnel-group xxx general-attributes
default-group-policy xxx
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns ARSENIC GOLD
dhcpd ping_timeout 750
dhcpd domain XXXXXXXXllc.com
!
dhcpd address 192.168.1.140-192.168.1.240 inside
dhcpd enable inside
!
dhcpd address 10.10.3.2-10.10.3.250 wirelessSec
dhcpd enable wirelessSec
!
dhcpd address 10.10.5.2-10.10.5.250 wirelessPub
dhcpd enable wirelessPub
!
!
class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_2
description nope,
parameters
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect icmp error
inspect icmp
inspect dns migrated_dns_map_2
policy-map type inspect esmtp BasicESMTPFilter
parameters
no mask-banner
match MIME filename length gt 255
log
match sender-address length gt 320
log
match cmd RCPT count gt 100
log
match body line length gt 998
log
match cmd line length gt 512
log
policy-map global-policy
class global-class
inspect dns
!
service-policy global_policy global
ntp server 192.43.244.18 source outside prefer
smtp-server 192.168.4.8
prompt hostname context
: end

David McKissic
A+, Net+, i-net+, CCNA, CNE, CNA
 
I will have to double check, but I think you just have to add the DMZ in the no nat rules and that should do it. Try it and I will check my docs/configs.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
brent,

can you elaborate?

David McKissic
A+, Net+, i-net+, CCNA, CNE, CNA

 
I still haven't found my notes and I not a lot of time this week, but give this a try -

access-list DMZ_outbound_nat0_acl permit ip [DMZ NETWORK] 192.168.1.0 255.255.255.0
access-list DMZ_outbound_nat0_acl permit ip [DMZ NETWORK] 10.10.6.230 255.255.255.0

nat (dmz) 0 access-list DMZ_nat0_outbound

You also must allow this traffic flow on any ACL applied to the DMZ interface or it will be blocked there and not make it to the NAT process.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top