Cisco VPN client 3.6.x and 4.0.x cannot access DMZ

[bwilliam13]

I have Cisco VPN clients connecting into a PIX with 6 interfaces (3 of the interfaces active), authenticating by RADIUS. Everything works regarding the VPN clients connecting to the inside interface of the PIX. However...

No VPN clients can access anything in the DMZ interface, which is where the mail, web, and ftp servers are. I have access-lists that specify to let anyone on the inside interface--or appropriate subnet--access any server in the DMZ...and every PC sitting physically on the inside interface can access them fine. However, VPN clients who get an IP address from a pool that is on a subnet in the inside range cannot access the DMZ on the same ports.

This is a problem...and one that I don't know how to get around.

Here's my applicable configuration - no modifications, posted as-is, commented so you can understand it:

#Let any hosts on inside (10.1.0.0/16) access any hosts in #the DMZ (10.0.2.0/24)

access-list acl_dmz1 permit icmp 10.1.0.0 255.255.0.0 any
access-list acl_dmz1 permit tcp 10.1.0.0 255.255.0.0 any
access-list acl_dmz1 permit udp 10.1.0.0 255.255.0.0 any
access-list acl_dmz1 permit ah 10.1.0.0 255.255.0.0 any
access-list acl_dmz1 permit esp 10.1.0.0 255.255.0.0 any

#Let any VPN clients access any hosts on inside #(10.1.0.0/16) as well as DMZ (10.0.2.0/24)

access-list 101 permit ip 10.1.0.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 101 permit icmp 10.1.0.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 101 permit ip 10.1.0.0 255.255.0.0 10.1.0.0 255.255.255.0
access-list 101 permit icmp 10.1.0.0 255.255.0.0 10.1.0.0 255.255.255.0
access-list 101 permit ip 10.1.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 101 permit icmp 10.1.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 101 permit ip 10.0.2.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list 101 permit icmp 10.0.2.0 255.255.255.0 10.1.0.0 255.255.255.0

#Specify IP addresses for VPN clients
ip local pool ippool 10.1.0.10-10.1.0.20

#Don't NAT VPN client traffic
nat (inside) 0 access-list 101

#Specify crypto/isakmp stuff for VPN clients
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client authentication AuthInbound
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 10.1.1.2 10.1.2.3
vpngroup vpn3000 wins-server 10.1.1.2 10.1.2.3
vpngroup vpn3000 default-domain whatever.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 split-dns whatever.com
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 max-time 86400


Everything else works perfectly...except VPN clients getting to the DMZ. I'm at a complete loss at this point...been trying to figure this out off and on for the past 2 weeks. Any help is appreciated.

 

[yizhar]

HI.

> VPN clients who get an IP address from a pool that is on a subnet in the inside range
> ip local pool ippool 10.1.0.10-10.1.0.20
This is wrong.
You should configure the VPN clients to get addresses from an unused subnet, like 192.168.111.X

Remember - from the pix point of view, VPN clients are coming from the OUTSIDE interface, not the INSIDE.
This is important for both translation and access rules.

Please post your full configuration (see the FAQ of this forum for tips about how to post it), because the partial config you posted is not sufficient for review and comments.




Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[bwilliam13]

Actually, I've tried unused subnets before. Doesn't make a difference. I can still get to every machine on the inside interface--which is the desired effect--but cannot access any machine on the DMZ. Here's the whole config.

interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 unused1 security10
nameif ethernet3 dmz1 security40
nameif ethernet4 unused3 security60
nameif ethernet5 VPN security10
enable password **************** encrypted
passwd ***************** encrypted
hostname pix
domain-name ********.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_outside permit tcp any host xxx.xxx.xxx.140 eq domain
access-list acl_outside permit udp any host xxx.xxx.xxx.140 eq domain
access-list acl_outside permit tcp any host xxx.xxx.xxx.143 eq ftp
access-list acl_outside permit tcp any host xxx.xxx.xxx.144 eq smtp
access-list acl_outside permit tcp any host xxx.xxx.xxx.144 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.141 eq domain
access-list acl_outside permit udp any host xxx.xxx.xxx.141 eq domain
access-list acl_outside permit tcp any host xxx.xxx.xxx.141 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.141 eq smtp
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq 5050
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq ftp
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq ssh
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq https
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq citrix-ica
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq 123
access-list acl_outside permit udp host xxx.xxx.xxx.191 any eq ntp
access-list acl_outside permit tcp host xxx.xxx.xxx.154 host xxx.xxx.xxx.46 eq pptp
access-list acl_outside permit tcp host xxx.xxx.xxx.46 host xxx.xxx.xxx.154 eq pptp
access-list acl_outside permit gre host xxx.xxx.xxx.46 host xxx.xxx.xxx.154
access-list acl_outside permit gre host xxx.xxx.xxx.154 host xxx.xxx.xxx.46
access-list acl_outside deny ip host xxx.xxx.xxx.154 any
access-list acl_outside permit tcp host xxx.xxx.xxx.192 host xxx.xxx.xxx.212 eq citrix-ica
access-list acl_outside permit tcp host xxx.xxx.xxx.192 host xxx.xxx.xxx.212 eq www
access-list acl_outside permit esp xxx.xxx.xxx.0 255.255.255.0 host xxx.xxx.xxx.145
access-list acl_outside permit ah xxx.xxx.xxx.0 255.255.255.0 host xxx.xxx.xxx.145
access-list acl_outside permit ip xxx.xxx.xxx.0 255.255.255.0 host xxx.xxx.xxx.145
access-list acl_outside permit tcp xxx.xxx.xxx.0 255.255.255.0 host xxx.xxx.xxx.145
access-list acl_outside permit udp xxx.xxx.xxx.0 255.255.255.0 host xxx.xxx.xxx.145
access-list acl_outside permit esp host xxx.xxx.xxx.145 xxx.xxx.xxx.0 255.255.255.0
access-list acl_outside permit ah host xxx.xxx.xxx.145 xxx.xxx.xxx.0 255.255.255.0
access-list acl_outside permit ip host xxx.xxx.xxx.145 xxx.xxx.xxx.0 255.255.255.0
access-list acl_outside permit tcp host xxx.xxx.xxx.145 xxx.xxx.xxx.0 255.255.255.0
access-list acl_outside permit udp host xxx.xxx.xxx.145 xxx.xxx.xxx.0 255.255.255.0
access-list acl_outside permit icmp xxx.xxx.xxx.0 255.255.255.0 host xxx.xxx.xxx.145
access-list acl_outside permit icmp host xxx.xxx.xxx.145 xxx.xxx.xxx.0 255.255.255.0
access-list acl_outside permit tcp any host xxx.xxx.xxx.159 eq 2100
access-list acl_outside permit icmp any host xxx.xxx.xxx.159
access-list acl_outside permit icmp host xxx.xxx.xxx.159 any
access-list acl_outside permit ah host xxx.xxx.xxx.138 any
access-list acl_outside permit esp host xxx.xxx.xxx.138 any
access-list acl_outside permit tcp host xxx.xxx.xxx.192 any eq www
access-list acl_outside permit tcp host xxx.xxx.xxx.192 any eq ftp
access-list acl_outside permit tcp host xxx.xxx.xxx.192 any eq https
access-list acl_outside permit tcp host xxx.xxx.xxx.192 any eq citrix-ica
access-list acl_outside permit tcp any host xxx.xxx.xxx.142 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.142 eq https
access-list acl_outside permit tcp any host xxx.xxx.xxx.146 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.146 eq https
access-list acl_outside permit tcp any host xxx.xxx.xxx.147 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.147 eq https
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq 10000
access-list acl_outside permit tcp host xxx.xxx.xxx.192 any eq 10000
access-list acl_outside permit esp host xxx.xxx.xxx.191 any
access-list acl_outside permit tcp any host xxx.xxx.xxx.141 eq 995
access-list acl_outside permit udp any host xxx.xxx.xxx.141 eq 995
access-list acl_outside permit tcp any host xxx.xxx.xxx.140 eq smtp
access-list acl_outside permit tcp any host xxx.xxx.xxx.141 eq https
access-list acl_outside permit udp host xxx.xxx.xxx.191 any eq dnsix
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq domain
access-list acl_outside permit gre host xxx.xxx.xxx.138 any
access-list acl_outside permit gre any host xxx.xxx.xxx.138
access-list acl_outside permit icmp any host xxx.xxx.xxx.138
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq pop3
access-list acl_outside permit tcp any host xxx.xxx.xxx.137 eq ssh
access-list acl_outside permit tcp any host xxx.xxx.xxx.148 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.148 eq https
access-list acl_outside permit esp any host xxx.xxx.xxx.130
access-list acl_outside permit ah any host xxx.xxx.xxx.130
access-list acl_outside permit udp any host xxx.xxx.xxx.130 eq isakmp
access-list acl_outside permit tcp any host xxx.xxx.xxx.130 eq 500
access-list acl_outside permit tcp any host xxx.xxx.xxx.130 eq ssh
access-list acl_outside permit icmp host xxx.xxx.xxx.136 any
access-list acl_outside permit icmp any host xxx.xxx.xxx.136
access-list acl_outside permit ip host xxx.xxx.xxx.136 any
access-list acl_outside permit tcp any host xxx.xxx.xxx.136 eq pptp
access-list acl_outside permit ah host xxx.xxx.xxx.136 any
access-list acl_outside permit ah any host xxx.xxx.xxx.136
access-list acl_outside permit esp host xxx.xxx.xxx.136 any
access-list acl_outside permit esp any host xxx.xxx.xxx.136
access-list acl_outside permit gre host xxx.xxx.xxx.136 any
access-list acl_outside permit gre any host xxx.xxx.xxx.136
access-list acl_outside permit tcp host xxx.xxx.xxx.136 any eq pptp
access-list acl_inside permit icmp 10.1.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 host xxx.xxx.xxx.61 eq 10000
access-list acl_inside permit tcp 10.1.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list acl_inside permit udp 10.1.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 host xxx.xxx.xxx.212 eq www
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 host xxx.xxx.xxx.212 eq citrix-ica
access-list acl_inside permit tcp 10.1.2.0 255.255.255.0 host xxx.xxx.xxx.212 eq www
access-list acl_inside permit tcp 10.1.2.0 255.255.255.0 host xxx.xxx.xxx.212 eq citrix-ica
access-list acl_inside permit tcp 10.1.5.0 255.255.255.0 host xxx.xxx.xxx.212 eq citrix-ica
access-list acl_inside permit tcp 10.1.5.0 255.255.255.0 host xxx.xxx.xxx.212 eq www
access-list acl_inside permit tcp 10.1.90.0 255.255.255.0 host xxx.xxx.xxx.212 eq www
access-list acl_inside permit tcp 10.1.90.0 255.255.255.0 host xxx.xxx.xxx.212 eq citrix-ica
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq ftp
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq 5050
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq https
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq ssh
access-list acl_inside permit udp 10.1.1.0 255.255.255.0 any eq ntp
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq 123
access-list acl_inside permit tcp 10.7.34.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list acl_inside permit udp 10.7.34.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list acl_inside permit icmp 10.7.34.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list acl_inside permit icmp host 10.1.1.25 any
access-list acl_inside permit icmp any host 10.1.1.25
access-list acl_inside permit esp xxx.xxx.xxx.0 255.255.255.0 host 10.1.1.25
access-list acl_inside permit ah xxx.xxx.xxx.0 255.255.255.0 host 10.1.1.25
access-list acl_inside permit ip xxx.xxx.xxx.0 255.255.255.0 host 10.1.1.25
access-list acl_inside permit tcp xxx.xxx.xxx.0 255.255.255.0 host 10.1.1.25
access-list acl_inside permit udp xxx.xxx.xxx.0 255.255.255.0 host 10.1.1.25
access-list acl_inside permit udp host 10.1.1.25 xxx.xxx.xxx.0 255.255.255.0
access-list acl_inside permit tcp host 10.1.1.25 xxx.xxx.xxx.0 255.255.255.0
access-list acl_inside permit ip host 10.1.1.25 xxx.xxx.xxx.0 255.255.255.0
access-list acl_inside permit esp host 10.1.1.25 xxx.xxx.xxx.0 255.255.255.0
access-list acl_inside permit ah host 10.1.1.25 xxx.xxx.xxx.0 255.255.255.0
access-list acl_inside permit icmp host 10.1.1.25 xxx.xxx.xxx.0 255.255.255.0
access-list acl_inside permit tcp 10.1.2.0 255.255.255.0 any eq www
access-list acl_inside permit tcp 10.1.2.0 255.255.255.0 any eq https
access-list acl_inside permit tcp 10.1.2.0 255.255.255.0 any eq ftp
access-list acl_inside permit tcp 10.1.2.0 255.255.255.0 any eq ftp-data
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq ftp-data
access-list acl_inside permit tcp 10.1.6.0 255.255.255.0 xxx.xxx.xxx.0 255.255.255.0 eq 10000
access-list acl_inside permit tcp 10.1.6.0 255.255.255.0 xxx.xxx.xxx.0 255.255.255.0 eq citrix-ica
access-list acl_inside permit icmp host 10.1.36.59 any
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq 1863
access-list acl_inside permit tcp host 10.1.36.59 any eq 2100
access-list acl_inside permit tcp host 10.1.6.151 any eq ftp
access-list acl_inside permit tcp host 10.1.6.151 any eq ftp-data
access-list acl_inside permit tcp host 10.1.6.62 any eq 10000
access-list acl_inside permit tcp host 10.1.6.122 host 12.96.247.99 eq 10000
access-list acl_inside permit icmp host 10.1.1.30 any
access-list acl_inside permit ip host 10.1.1.30 any
access-list acl_inside permit gre host 10.1.1.30 any
access-list acl_inside permit esp host 10.1.1.30 any
access-list acl_inside permit ah host 10.1.1.30 any
access-list acl_inside permit tcp host 10.1.1.2 any eq domain
access-list acl_inside permit udp host 10.1.1.2 any eq domain
access-list acl_inside permit tcp host 10.1.2.3 any eq domain
access-list acl_inside permit udp host 10.1.2.3 any eq domain
access-list acl_inside permit tcp host 10.1.6.1 any eq domain
access-list acl_inside permit udp host 10.1.6.1 any eq domain
access-list acl_inside permit tcp host 10.1.36.2 any eq domain
access-list acl_inside permit udp host 10.1.36.2 any eq domain
access-list acl_inside permit udp host 10.1.41.2 any eq domain
access-list acl_inside permit tcp host 10.1.41.2 any eq domain
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq ftp
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq 5050
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq https
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq ssh
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq 1863
access-list acl_inside permit udp 10.1.80.0 255.255.255.0 any eq 1863
access-list acl_inside permit udp 10.1.80.0 255.255.255.0 any eq ntp
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq 123
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq www
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq citrix-ica
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq pop3
access-list acl_inside permit tcp any host 10.1.1.14 eq ssh
access-list acl_inside permit tcp host 10.1.6.53 any eq ftp
access-list acl_inside permit tcp host 10.1.6.53 any eq ftp-data
access-list acl_inside permit tcp host 10.1.6.53 any eq https
access-list acl_inside permit icmp host 10.1.1.20 any
access-list acl_inside permit icmp any host 10.1.1.20
access-list acl_inside permit gre host 10.1.1.20 any
access-list acl_inside permit gre any host 10.1.1.20
access-list acl_inside permit ah host 10.1.1.20 any
access-list acl_inside permit ah any host 10.1.1.20
access-list acl_inside permit esp host 10.1.1.20 any
access-list acl_inside permit esp any host 10.1.1.20
access-list acl_inside permit ip host 10.1.1.20 any
access-list acl_inside permit ip any host 10.1.1.20
access-list acl_dmz1 permit icmp any any
access-list acl_dmz1 permit tcp any any
access-list acl_dmz1 permit udp any any
access-list acl_dmz1 permit ah any any
access-list acl_dmz1 permit esp any any
access-list pixtosw permit ip 10.1.0.0 255.255.0.0 10.3.1.0 255.255.255.0
access-list pixtosw permit icmp 10.1.0.0 255.255.0.0 10.3.1.0 255.255.255.0
access-list pixtosw permit ip 10.3.1.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list pixtosw permit icmp 10.3.1.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 101 permit ip 10.1.0.0 255.255.255.0 any
access-list 101 permit icmp 10.1.0.0 255.255.255.0 any
access-list 101 permit ip any 10.1.0.0 255.255.255.0
access-list 101 permit icmp any 10.1.0.0 255.255.255.0
pager lines 23
logging on
logging timestamp
logging monitor notifications
logging trap notifications
logging facility 22
logging queue 0
logging host inside 10.1.1.20
mtu outside 1500
mtu inside 1500
mtu unused1 1500
mtu dmz1 1500
mtu unused3 1500
mtu VPN 1500
ip address outside xxx.xxx.xxx.130 255.255.255.128
ip address inside 10.1.0.129 255.255.0.0
ip address unused1 127.0.0.1 255.255.255.255
ip address dmz1 10.0.2.129 255.255.255.0
ip address unused3 127.0.0.1 255.255.255.0
no ip address VPN
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.0.10-10.1.0.20
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address unused1
no failover ip address dmz1
no failover ip address unused3
no failover ip address VPN
no pdm history enable
arp timeout 60
global (outside) 5 xxx.xxx.xxx.191
global (outside) 6 xxx.xxx.xxx.192
global (outside) 7 xxx.xxx.xxx.193
global (dmz1) 1 interface
nat (inside) 0 access-list 101
nat (inside) 5 10.1.2.2 255.255.255.255 0 0
nat (inside) 5 10.1.2.3 255.255.255.255 0 0
nat (inside) 5 10.1.2.4 255.255.255.255 0 0
nat (inside) 5 10.1.2.5 255.255.255.255 0 0
nat (inside) 5 10.1.2.6 255.255.255.255 0 0
nat (inside) 5 10.1.2.7 255.255.255.255 0 0
nat (inside) 5 10.1.2.8 255.255.255.255 0 0
nat (inside) 5 10.1.2.9 255.255.255.255 0 0
nat (inside) 5 10.1.2.10 255.255.255.255 0 0
nat (inside) 5 10.1.2.11 255.255.255.255 0 0
nat (inside) 5 10.1.2.12 255.255.255.255 0 0
nat (inside) 5 10.1.2.13 255.255.255.255 0 0
nat (inside) 5 10.1.2.14 255.255.255.255 0 0
nat (inside) 5 10.1.2.15 255.255.255.255 0 0
nat (inside) 5 10.1.2.16 255.255.255.255 0 0
nat (inside) 5 10.1.2.17 255.255.255.255 0 0
nat (inside) 5 10.1.2.18 255.255.255.255 0 0
nat (inside) 5 10.1.2.19 255.255.255.255 0 0
nat (inside) 5 10.1.2.20 255.255.255.255 0 0
nat (inside) 5 10.1.2.21 255.255.255.255 0 0
nat (inside) 5 10.1.2.22 255.255.255.255 0 0
nat (inside) 5 10.1.2.23 255.255.255.255 0 0
nat (inside) 5 10.1.2.24 255.255.255.255 0 0
nat (inside) 5 10.1.2.40 255.255.255.255 0 0
nat (inside) 5 10.1.2.41 255.255.255.255 0 0
nat (inside) 5 10.1.2.42 255.255.255.255 0 0
nat (inside) 5 10.1.2.43 255.255.255.255 0 0
nat (inside) 5 10.1.2.44 255.255.255.255 0 0
nat (inside) 6 10.1.6.53 255.255.255.255 0 0
nat (inside) 6 10.1.6.62 255.255.255.255 0 0
nat (inside) 6 10.1.6.122 255.255.255.255 0 0
nat (inside) 6 10.1.6.151 255.255.255.255 0 0
nat (inside) 5 10.1.1.0 255.255.255.0 0 0
nat (inside) 7 10.1.21.0 255.255.255.0 0 0
static (dmz1,outside) xxx.xxx.xxx.143 10.0.2.143 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.140 10.0.2.140 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.144 10.0.2.144 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.141 10.0.2.141 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (inside,outside) xxx.xxx.xxx.154 10.1.6.154 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.145 10.1.1.25 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.159 10.1.36.59 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.142 10.0.2.142 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.146 10.0.2.146 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.147 10.0.2.147 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.137 10.1.1.14 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.148 10.0.2.148 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.138 10.1.1.30 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.136 10.1.1.20 netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
access-group acl_inside in interface inside
access-group acl_dmz1 in interface dmz1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.129 1
route outside 10.3.1.0 255.255.255.0 xxx.xxx.xxx.130 1
route inside 10.7.32.0 255.255.255.0 10.1.2.128 1
route inside 10.7.33.0 255.255.255.0 10.1.2.128 1
route inside 10.7.34.0 255.255.255.0 10.1.2.128 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 10.1.90.2 ******** timeout 10
ntp server 203.21.37.18 source outside
no snmp-server location
no snmp-server contact
snmp-server community ess
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt ipsec pl-compatible
sysopt noproxyarp inside
sysopt noproxyarp dmz1
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map tosonicwall 20 ipsec-isakmp
crypto map tosonicwall 20 match address pixtosw
crypto map tosonicwall 20 set peer xxx.xxx.xxx.146
crypto map tosonicwall 20 set transform-set strongsha
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client authentication AuthInbound
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.146 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 10.1.1.2 10.1.2.3
vpngroup vpn3000 wins-server 10.1.1.2 10.1.2.3
vpngroup vpn3000 default-domain *******.com
vpngroup vpn3000 split-dns ********.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 max-time 86400
vpngroup vpn3000 password ********
telnet timeout 15
ssh 10.1.1.0 255.255.255.0 inside
ssh 10.1.2.0 255.255.255.0 inside
ssh 10.1.90.0 255.255.255.0 inside
ssh 10.1.5.0 255.255.255.0 inside
ssh 10.1.0.0 255.255.255.0 inside
ssh timeout 15
console timeout 0
terminal width 80

 

[bwilliam13]

I've already tried used/unused subnets alike. Doesn't matter. I can access anything on the inside interface, nothing from the DMZ.


interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 unused1 security10
nameif ethernet3 dmz1 security40
nameif ethernet4 unused3 security60
nameif ethernet5 VPN security10
enable password **************** encrypted
passwd ***************** encrypted
hostname pix
domain-name ********.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_outside permit tcp any host xxx.xxx.xxx.140 eq domain
access-list acl_outside permit udp any host xxx.xxx.xxx.140 eq domain
access-list acl_outside permit tcp any host xxx.xxx.xxx.143 eq ftp
access-list acl_outside permit tcp any host xxx.xxx.xxx.144 eq smtp
access-list acl_outside permit tcp any host xxx.xxx.xxx.144 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.141 eq domain
access-list acl_outside permit udp any host xxx.xxx.xxx.141 eq domain
access-list acl_outside permit tcp any host xxx.xxx.xxx.141 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.141 eq smtp
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq 5050
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq ftp
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq ssh
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq https
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq citrix-ica
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq 123
access-list acl_outside permit udp host xxx.xxx.xxx.191 any eq ntp
access-list acl_outside permit tcp host xxx.xxx.xxx.154 host xxx.xxx.xxx.46 eq pptp
access-list acl_outside permit tcp host xxx.xxx.xxx.46 host xxx.xxx.xxx.154 eq pptp
access-list acl_outside permit gre host xxx.xxx.xxx.46 host xxx.xxx.xxx.154
access-list acl_outside permit gre host xxx.xxx.xxx.154 host xxx.xxx.xxx.46
access-list acl_outside deny ip host xxx.xxx.xxx.154 any
access-list acl_outside permit tcp host xxx.xxx.xxx.192 host xxx.xxx.xxx.212 eq citrix-ica
access-list acl_outside permit tcp host xxx.xxx.xxx.192 host xxx.xxx.xxx.212 eq www
access-list acl_outside permit esp xxx.xxx.xxx.0 255.255.255.0 host xxx.xxx.xxx.145
access-list acl_outside permit ah xxx.xxx.xxx.0 255.255.255.0 host xxx.xxx.xxx.145
access-list acl_outside permit ip xxx.xxx.xxx.0 255.255.255.0 host xxx.xxx.xxx.145
access-list acl_outside permit tcp xxx.xxx.xxx.0 255.255.255.0 host xxx.xxx.xxx.145
access-list acl_outside permit udp xxx.xxx.xxx.0 255.255.255.0 host xxx.xxx.xxx.145
access-list acl_outside permit esp host xxx.xxx.xxx.145 xxx.xxx.xxx.0 255.255.255.0
access-list acl_outside permit ah host xxx.xxx.xxx.145 xxx.xxx.xxx.0 255.255.255.0
access-list acl_outside permit ip host xxx.xxx.xxx.145 xxx.xxx.xxx.0 255.255.255.0
access-list acl_outside permit tcp host xxx.xxx.xxx.145 xxx.xxx.xxx.0 255.255.255.0
access-list acl_outside permit udp host xxx.xxx.xxx.145 xxx.xxx.xxx.0 255.255.255.0
access-list acl_outside permit icmp xxx.xxx.xxx.0 255.255.255.0 host xxx.xxx.xxx.145
access-list acl_outside permit icmp host xxx.xxx.xxx.145 xxx.xxx.xxx.0 255.255.255.0
access-list acl_outside permit tcp any host xxx.xxx.xxx.159 eq 2100
access-list acl_outside permit icmp any host xxx.xxx.xxx.159
access-list acl_outside permit icmp host xxx.xxx.xxx.159 any
access-list acl_outside permit ah host xxx.xxx.xxx.138 any
access-list acl_outside permit esp host xxx.xxx.xxx.138 any
access-list acl_outside permit tcp host xxx.xxx.xxx.192 any eq www
access-list acl_outside permit tcp host xxx.xxx.xxx.192 any eq ftp
access-list acl_outside permit tcp host xxx.xxx.xxx.192 any eq https
access-list acl_outside permit tcp host xxx.xxx.xxx.192 any eq citrix-ica
access-list acl_outside permit tcp any host xxx.xxx.xxx.142 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.142 eq https
access-list acl_outside permit tcp any host xxx.xxx.xxx.146 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.146 eq https
access-list acl_outside permit tcp any host xxx.xxx.xxx.147 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.147 eq https
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq 10000
access-list acl_outside permit tcp host xxx.xxx.xxx.192 any eq 10000
access-list acl_outside permit esp host xxx.xxx.xxx.191 any
access-list acl_outside permit tcp any host xxx.xxx.xxx.141 eq 995
access-list acl_outside permit udp any host xxx.xxx.xxx.141 eq 995
access-list acl_outside permit tcp any host xxx.xxx.xxx.140 eq smtp
access-list acl_outside permit tcp any host xxx.xxx.xxx.141 eq https
access-list acl_outside permit udp host xxx.xxx.xxx.191 any eq dnsix
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq domain
access-list acl_outside permit gre host xxx.xxx.xxx.138 any
access-list acl_outside permit gre any host xxx.xxx.xxx.138
access-list acl_outside permit icmp any host xxx.xxx.xxx.138
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq pop3
access-list acl_outside permit tcp any host xxx.xxx.xxx.137 eq ssh
access-list acl_outside permit tcp any host xxx.xxx.xxx.148 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.148 eq https
access-list acl_outside permit esp any host xxx.xxx.xxx.130
access-list acl_outside permit ah any host xxx.xxx.xxx.130
access-list acl_outside permit udp any host xxx.xxx.xxx.130 eq isakmp
access-list acl_outside permit tcp any host xxx.xxx.xxx.130 eq 500
access-list acl_outside permit tcp any host xxx.xxx.xxx.130 eq ssh
access-list acl_outside permit icmp host xxx.xxx.xxx.136 any
access-list acl_outside permit icmp any host xxx.xxx.xxx.136
access-list acl_outside permit ip host xxx.xxx.xxx.136 any
access-list acl_outside permit tcp any host xxx.xxx.xxx.136 eq pptp
access-list acl_outside permit ah host xxx.xxx.xxx.136 any
access-list acl_outside permit ah any host xxx.xxx.xxx.136
access-list acl_outside permit esp host xxx.xxx.xxx.136 any
access-list acl_outside permit esp any host xxx.xxx.xxx.136
access-list acl_outside permit gre host xxx.xxx.xxx.136 any
access-list acl_outside permit gre any host xxx.xxx.xxx.136
access-list acl_outside permit tcp host xxx.xxx.xxx.136 any eq pptp
access-list acl_inside permit icmp 10.1.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 host xxx.xxx.xxx.61 eq 10000
access-list acl_inside permit tcp 10.1.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list acl_inside permit udp 10.1.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 host xxx.xxx.xxx.212 eq www
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 host xxx.xxx.xxx.212 eq citrix-ica
access-list acl_inside permit tcp 10.1.2.0 255.255.255.0 host xxx.xxx.xxx.212 eq www
access-list acl_inside permit tcp 10.1.2.0 255.255.255.0 host xxx.xxx.xxx.212 eq citrix-ica
access-list acl_inside permit tcp 10.1.5.0 255.255.255.0 host xxx.xxx.xxx.212 eq citrix-ica
access-list acl_inside permit tcp 10.1.5.0 255.255.255.0 host xxx.xxx.xxx.212 eq www
access-list acl_inside permit tcp 10.1.90.0 255.255.255.0 host xxx.xxx.xxx.212 eq www
access-list acl_inside permit tcp 10.1.90.0 255.255.255.0 host xxx.xxx.xxx.212 eq citrix-ica
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq ftp
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq 5050
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq https
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq ssh
access-list acl_inside permit udp 10.1.1.0 255.255.255.0 any eq ntp
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq 123
access-list acl_inside permit tcp 10.7.34.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list acl_inside permit udp 10.7.34.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list acl_inside permit icmp 10.7.34.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list acl_inside permit icmp host 10.1.1.25 any
access-list acl_inside permit icmp any host 10.1.1.25
access-list acl_inside permit esp xxx.xxx.xxx.0 255.255.255.0 host 10.1.1.25
access-list acl_inside permit ah xxx.xxx.xxx.0 255.255.255.0 host 10.1.1.25
access-list acl_inside permit ip xxx.xxx.xxx.0 255.255.255.0 host 10.1.1.25
access-list acl_inside permit tcp xxx.xxx.xxx.0 255.255.255.0 host 10.1.1.25
access-list acl_inside permit udp xxx.xxx.xxx.0 255.255.255.0 host 10.1.1.25
access-list acl_inside permit udp host 10.1.1.25 xxx.xxx.xxx.0 255.255.255.0
access-list acl_inside permit tcp host 10.1.1.25 xxx.xxx.xxx.0 255.255.255.0
access-list acl_inside permit ip host 10.1.1.25 xxx.xxx.xxx.0 255.255.255.0
access-list acl_inside permit esp host 10.1.1.25 xxx.xxx.xxx.0 255.255.255.0
access-list acl_inside permit ah host 10.1.1.25 xxx.xxx.xxx.0 255.255.255.0
access-list acl_inside permit icmp host 10.1.1.25 xxx.xxx.xxx.0 255.255.255.0
access-list acl_inside permit tcp 10.1.2.0 255.255.255.0 any eq www
access-list acl_inside permit tcp 10.1.2.0 255.255.255.0 any eq https
access-list acl_inside permit tcp 10.1.2.0 255.255.255.0 any eq ftp
access-list acl_inside permit tcp 10.1.2.0 255.255.255.0 any eq ftp-data
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq ftp-data
access-list acl_inside permit tcp 10.1.6.0 255.255.255.0 xxx.xxx.xxx.0 255.255.255.0 eq 10000
access-list acl_inside permit tcp 10.1.6.0 255.255.255.0 xxx.xxx.xxx.0 255.255.255.0 eq citrix-ica
access-list acl_inside permit icmp host 10.1.36.59 any
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq 1863
access-list acl_inside permit tcp host 10.1.36.59 any eq 2100
access-list acl_inside permit tcp host 10.1.6.151 any eq ftp
access-list acl_inside permit tcp host 10.1.6.151 any eq ftp-data
access-list acl_inside permit tcp host 10.1.6.62 any eq 10000
access-list acl_inside permit tcp host 10.1.6.122 host 12.96.247.99 eq 10000
access-list acl_inside permit icmp host 10.1.1.30 any
access-list acl_inside permit ip host 10.1.1.30 any
access-list acl_inside permit gre host 10.1.1.30 any
access-list acl_inside permit esp host 10.1.1.30 any
access-list acl_inside permit ah host 10.1.1.30 any
access-list acl_inside permit tcp host 10.1.1.2 any eq domain
access-list acl_inside permit udp host 10.1.1.2 any eq domain
access-list acl_inside permit tcp host 10.1.2.3 any eq domain
access-list acl_inside permit udp host 10.1.2.3 any eq domain
access-list acl_inside permit tcp host 10.1.6.1 any eq domain
access-list acl_inside permit udp host 10.1.6.1 any eq domain
access-list acl_inside permit tcp host 10.1.36.2 any eq domain
access-list acl_inside permit udp host 10.1.36.2 any eq domain
access-list acl_inside permit udp host 10.1.41.2 any eq domain
access-list acl_inside permit tcp host 10.1.41.2 any eq domain
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq ftp
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq 5050
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq https
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq ssh
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq 1863
access-list acl_inside permit udp 10.1.80.0 255.255.255.0 any eq 1863
access-list acl_inside permit udp 10.1.80.0 255.255.255.0 any eq ntp
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq 123
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq www
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq citrix-ica
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq pop3
access-list acl_inside permit tcp any host 10.1.1.14 eq ssh
access-list acl_inside permit tcp host 10.1.6.53 any eq ftp
access-list acl_inside permit tcp host 10.1.6.53 any eq ftp-data
access-list acl_inside permit tcp host 10.1.6.53 any eq https
access-list acl_inside permit icmp host 10.1.1.20 any
access-list acl_inside permit icmp any host 10.1.1.20
access-list acl_inside permit gre host 10.1.1.20 any
access-list acl_inside permit gre any host 10.1.1.20
access-list acl_inside permit ah host 10.1.1.20 any
access-list acl_inside permit ah any host 10.1.1.20
access-list acl_inside permit esp host 10.1.1.20 any
access-list acl_inside permit esp any host 10.1.1.20
access-list acl_inside permit ip host 10.1.1.20 any
access-list acl_inside permit ip any host 10.1.1.20
access-list acl_dmz1 permit icmp any any
access-list acl_dmz1 permit tcp any any
access-list acl_dmz1 permit udp any any
access-list acl_dmz1 permit ah any any
access-list acl_dmz1 permit esp any any
access-list pixtosw permit ip 10.1.0.0 255.255.0.0 10.3.1.0 255.255.255.0
access-list pixtosw permit icmp 10.1.0.0 255.255.0.0 10.3.1.0 255.255.255.0
access-list pixtosw permit ip 10.3.1.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list pixtosw permit icmp 10.3.1.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 101 permit ip 10.1.0.0 255.255.255.0 any
access-list 101 permit icmp 10.1.0.0 255.255.255.0 any
access-list 101 permit ip any 10.1.0.0 255.255.255.0
access-list 101 permit icmp any 10.1.0.0 255.255.255.0
pager lines 23
logging on
logging timestamp
logging monitor notifications
logging trap notifications
logging facility 22
logging queue 0
logging host inside 10.1.1.20
mtu outside 1500
mtu inside 1500
mtu unused1 1500
mtu dmz1 1500
mtu unused3 1500
mtu VPN 1500
ip address outside xxx.xxx.xxx.130 255.255.255.128
ip address inside 10.1.0.129 255.255.0.0
ip address unused1 127.0.0.1 255.255.255.255
ip address dmz1 10.0.2.129 255.255.255.0
ip address unused3 127.0.0.1 255.255.255.0
no ip address VPN
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.0.10-10.1.0.20
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address unused1
no failover ip address dmz1
no failover ip address unused3
no failover ip address VPN
no pdm history enable
arp timeout 60
global (outside) 5 xxx.xxx.xxx.191
global (outside) 6 xxx.xxx.xxx.192
global (outside) 7 xxx.xxx.xxx.193
global (dmz1) 1 interface
nat (inside) 0 access-list 101
nat (inside) 5 10.1.2.2 255.255.255.255 0 0
nat (inside) 5 10.1.2.3 255.255.255.255 0 0
nat (inside) 5 10.1.2.4 255.255.255.255 0 0
nat (inside) 5 10.1.2.5 255.255.255.255 0 0
nat (inside) 5 10.1.2.6 255.255.255.255 0 0
nat (inside) 5 10.1.2.7 255.255.255.255 0 0
nat (inside) 5 10.1.2.8 255.255.255.255 0 0
nat (inside) 5 10.1.2.9 255.255.255.255 0 0
nat (inside) 5 10.1.2.10 255.255.255.255 0 0
nat (inside) 5 10.1.2.11 255.255.255.255 0 0
nat (inside) 5 10.1.2.12 255.255.255.255 0 0
nat (inside) 5 10.1.2.13 255.255.255.255 0 0
nat (inside) 5 10.1.2.14 255.255.255.255 0 0
nat (inside) 5 10.1.2.15 255.255.255.255 0 0
nat (inside) 5 10.1.2.16 255.255.255.255 0 0
nat (inside) 5 10.1.2.17 255.255.255.255 0 0
nat (inside) 5 10.1.2.18 255.255.255.255 0 0
nat (inside) 5 10.1.2.19 255.255.255.255 0 0
nat (inside) 5 10.1.2.20 255.255.255.255 0 0
nat (inside) 5 10.1.2.21 255.255.255.255 0 0
nat (inside) 5 10.1.2.22 255.255.255.255 0 0
nat (inside) 5 10.1.2.23 255.255.255.255 0 0
nat (inside) 5 10.1.2.24 255.255.255.255 0 0
nat (inside) 5 10.1.2.40 255.255.255.255 0 0
nat (inside) 5 10.1.2.41 255.255.255.255 0 0
nat (inside) 5 10.1.2.42 255.255.255.255 0 0
nat (inside) 5 10.1.2.43 255.255.255.255 0 0
nat (inside) 5 10.1.2.44 255.255.255.255 0 0
nat (inside) 6 10.1.6.53 255.255.255.255 0 0
nat (inside) 6 10.1.6.62 255.255.255.255 0 0
nat (inside) 6 10.1.6.122 255.255.255.255 0 0
nat (inside) 6 10.1.6.151 255.255.255.255 0 0
nat (inside) 5 10.1.1.0 255.255.255.0 0 0
nat (inside) 7 10.1.21.0 255.255.255.0 0 0
static (dmz1,outside) xxx.xxx.xxx.143 10.0.2.143 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.140 10.0.2.140 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.144 10.0.2.144 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.141 10.0.2.141 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (inside,outside) xxx.xxx.xxx.154 10.1.6.154 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.145 10.1.1.25 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.159 10.1.36.59 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.142 10.0.2.142 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.146 10.0.2.146 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.147 10.0.2.147 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.137 10.1.1.14 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.148 10.0.2.148 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.138 10.1.1.30 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.136 10.1.1.20 netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
access-group acl_inside in interface inside
access-group acl_dmz1 in interface dmz1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.129 1
route outside 10.3.1.0 255.255.255.0 xxx.xxx.xxx.130 1
route inside 10.7.32.0 255.255.255.0 10.1.2.128 1
route inside 10.7.33.0 255.255.255.0 10.1.2.128 1
route inside 10.7.34.0 255.255.255.0 10.1.2.128 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 10.1.90.2 ******** timeout 10
ntp server 203.21.37.18 source outside
no snmp-server location
no snmp-server contact
snmp-server community ess
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt ipsec pl-compatible
sysopt noproxyarp inside
sysopt noproxyarp dmz1
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map tosonicwall 20 ipsec-isakmp
crypto map tosonicwall 20 match address pixtosw
crypto map tosonicwall 20 set peer xxx.xxx.xxx.146
crypto map tosonicwall 20 set transform-set strongsha
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client authentication AuthInbound
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.146 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 10.1.1.2 10.1.2.3
vpngroup vpn3000 wins-server 10.1.1.2 10.1.2.3
vpngroup vpn3000 default-domain *******.com
vpngroup vpn3000 split-dns ********.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 max-time 86400
vpngroup vpn3000 password ********
telnet timeout 15
ssh 10.1.1.0 255.255.255.0 inside
ssh 10.1.2.0 255.255.255.0 inside
ssh 10.1.90.0 255.255.255.0 inside
ssh 10.1.5.0 255.255.255.0 inside
ssh 10.1.0.0 255.255.255.0 inside
ssh timeout 15
console timeout 0
terminal width 80

 

[yizhar]

HI.

After you'll switch back to non overlapping subnets, then please post your modified config so we can tell you how to fix it.
But first - go to unused addresses for VPN clients.


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[bwilliam13]

I've already tried using 10.1.7.x, 10.10.10.x, etc etc etc. Same thing. It's set at 10.1.7.x right now. That's an unused subnet. We're not going to use 192.168.x.x because too many people use those in their homes and it causes problems with routing. That's not something that can/is going to change. We already ran into this problem with Microsoft VPN clients...and we have over 300 of those. When we stopped assigning 192.168 addresses to VPN clients, we stopped having routing issues. But, we're migrating everything to Cisco VPN clients, and this is the last obstacle. We use 192.168.x.x addresses internal to our network for development machines that could be located anywhere. The rest of the 10.x addresses are used for actual production machines.

I've got to believe that this is not a used/unused subnet problem...until proven otherwise. If I use 10.1.7.10-10.1.7.20 vs 10.1.0.10-10.1.0.20, it yields the same result; access to EVERYWHERE in the network except the 4 machines in the DMZ.

 

[yizhar]

HI.

> ip address inside 10.1.0.129 255.255.0.0
...
> ... It's set at 10.1.7.x right now ...
But 10.1.7.x still overlaps with 10.1.x.x/16 .
BTW - there is also an overlap of your internal and DMZ addresses, which could also add unneeded complexity and problems. So the DMZ network should also be reconfigured, or the subnet mask of "inside" (If you are using class C only on inside).

Try using 10.10.10.x or 172.16.x.x for VPN clients.

> I've got to believe that this is not a used/unused subnet problem...
This is not the whole issue but it should be fixed before I can help you with the DMZ access issue because it depends.

> until proven otherwise
I can tell you that VPN access to DMZ can be enabled and that it works once configured properly.


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[bwilliam13]

The ippool is now set to 10.4.1.10-10.4.1.20. This should not be an overlapping subnet now.

Every host can ping the VPN clients (DMZ hosts, inside hosts), but the VPN clients can only ping hosts on the inside interface. They still cannot access anything in the DMZ. Here's the updated config.

PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 unused1 security10
nameif ethernet3 dmz1 security40
nameif ethernet4 unused3 security60
nameif ethernet5 VPN security10
enable password z23N8AO5Ly59fYIP encrypted
passwd Vy9CsBcpPoTrbRZb encrypted
hostname pix
domain-name essvote.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_outside permit tcp any host xxx.xxx.xxx.140 eq domain
access-list acl_outside permit udp any host xxx.xxx.xxx.140 eq domain
access-list acl_outside permit tcp any host xxx.xxx.xxx.143 eq ftp
access-list acl_outside permit tcp any host xxx.xxx.xxx.144 eq smtp
access-list acl_outside permit tcp any host xxx.xxx.xxx.144 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.141 eq domain
access-list acl_outside permit udp any host xxx.xxx.xxx.141 eq domain
access-list acl_outside permit tcp any host xxx.xxx.xxx.141 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.141 eq smtp
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq 5050
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq ftp
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq ssh
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq https
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq citrix-ica
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq 123
access-list acl_outside permit udp host xxx.xxx.xxx.191 any eq ntp
access-list acl_outside permit tcp host xxx.xxx.xxx.154 host xxx.xxx.xxx eq pptp
access-list acl_outside permit tcp host xxx.xxx.xxx host xxx.xxx.xxx.154 eq pptp
access-list acl_outside permit gre host xxx.xxx.xxx host xxx.xxx.xxx.154
access-list acl_outside permit gre host xxx.xxx.xxx.154 host xxx.xxx.xxx
access-list acl_outside deny ip host xxx.xxx.xxx.154 any
access-list acl_outside permit tcp host xxx.xxx.xxx.192 host xxx.xxx.xxx.212 eq citrix-ica
access-list acl_outside permit tcp host xxx.xxx.xxx.192 host xxx.xxx.xxx.212 eq www
access-list acl_outside permit esp xxx.xxx.xxx.0 255.255.255.0 host xxx.xxx.xxx.145
access-list acl_outside permit ah xxx.xxx.xxx.0 255.255.255.0 host xxx.xxx.xxx.145
access-list acl_outside permit ip xxx.xxx.xxx.0 255.255.255.0 host xxx.xxx.xxx.145
access-list acl_outside permit tcp xxx.xxx.xxx.0 255.255.255.0 host xxx.xxx.xxx.145
access-list acl_outside permit udp xxx.xxx.xxx.0 255.255.255.0 host xxx.xxx.xxx.145
access-list acl_outside permit esp host xxx.xxx.xxx.145 xxx.xxx.xxx.0 255.255.255.0
access-list acl_outside permit ah host xxx.xxx.xxx.145 xxx.xxx.xxx.0 255.255.255.0
access-list acl_outside permit ip host xxx.xxx.xxx.145 xxx.xxx.xxx.0 255.255.255.0
access-list acl_outside permit tcp host xxx.xxx.xxx.145 xxx.xxx.xxx.0 255.255.255.0
access-list acl_outside permit udp host xxx.xxx.xxx.145 xxx.xxx.xxx.0 255.255.255.0
access-list acl_outside permit icmp xxx.xxx.xxx.0 255.255.255.0 host xxx.xxx.xxx.145
access-list acl_outside permit icmp host xxx.xxx.xxx.145 xxx.xxx.xxx.0 255.255.255.0
access-list acl_outside permit tcp any host xxx.xxx.xxx.159 eq 2100
access-list acl_outside permit icmp any host xxx.xxx.xxx.159
access-list acl_outside permit icmp host xxx.xxx.xxx.159 any
access-list acl_outside permit ah host xxx.xxx.xxx.138 any
access-list acl_outside permit esp host xxx.xxx.xxx.138 any
access-list acl_outside permit tcp host xxx.xxx.xxx.192 any eq www
access-list acl_outside permit tcp host xxx.xxx.xxx.192 any eq ftp
access-list acl_outside permit tcp host xxx.xxx.xxx.192 any eq https
access-list acl_outside permit tcp host xxx.xxx.xxx.192 any eq citrix-ica
access-list acl_outside permit tcp any host xxx.xxx.xxx.142 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.142 eq https
access-list acl_outside permit tcp any host xxx.xxx.xxx.146 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.146 eq https
access-list acl_outside permit tcp any host xxx.xxx.xxx.147 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.147 eq https
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq 10000
access-list acl_outside permit tcp host xxx.xxx.xxx.192 any eq 10000
access-list acl_outside permit esp host xxx.xxx.xxx.191 any
access-list acl_outside permit tcp any host xxx.xxx.xxx.141 eq 995
access-list acl_outside permit udp any host xxx.xxx.xxx.141 eq 995
access-list acl_outside permit tcp any host xxx.xxx.xxx.140 eq smtp
access-list acl_outside permit tcp any host xxx.xxx.xxx.141 eq https
access-list acl_outside permit udp host xxx.xxx.xxx.191 any eq dnsix
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq domain
access-list acl_outside permit gre host xxx.xxx.xxx.138 any
access-list acl_outside permit gre any host xxx.xxx.xxx.138
access-list acl_outside permit icmp any host xxx.xxx.xxx.138
access-list acl_outside permit tcp host xxx.xxx.xxx.191 any eq pop3
access-list acl_outside permit tcp any host xxx.xxx.xxx.137 eq ssh
access-list acl_outside permit tcp any host xxx.xxx.xxx.148 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.148 eq https
access-list acl_outside permit esp any host xxx.xxx.xxx.130
access-list acl_outside permit ah any host xxx.xxx.xxx.130
access-list acl_outside permit udp any host xxx.xxx.xxx.130 eq isakmp
access-list acl_outside permit tcp any host xxx.xxx.xxx.130 eq 500
access-list acl_outside permit tcp any host xxx.xxx.xxx.130 eq ssh
access-list acl_outside permit icmp host xxx.xxx.xxx.136 any
access-list acl_outside permit icmp any host xxx.xxx.xxx.136
access-list acl_outside permit ip host xxx.xxx.xxx.136 any
access-list acl_outside permit tcp any host xxx.xxx.xxx.136 eq pptp
access-list acl_outside permit ah host xxx.xxx.xxx.136 any
access-list acl_outside permit ah any host xxx.xxx.xxx.136
access-list acl_outside permit esp host xxx.xxx.xxx.136 any
access-list acl_outside permit esp any host xxx.xxx.xxx.136
access-list acl_outside permit gre host xxx.xxx.xxx.136 any
access-list acl_outside permit gre any host xxx.xxx.xxx.136
access-list acl_outside permit tcp host xxx.xxx.xxx.136 any eq pptp
access-list acl_inside permit icmp 10.1.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 host xxx.xxx.xxx.61 eq 10000
access-list acl_inside permit tcp 10.1.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list acl_inside permit udp 10.1.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 host xxx.xxx.xxx.212 eq www
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 host xxx.xxx.xxx.212 eq citrix-ica
access-list acl_inside permit tcp 10.1.2.0 255.255.255.0 host xxx.xxx.xxx.212 eq www
access-list acl_inside permit tcp 10.1.2.0 255.255.255.0 host xxx.xxx.xxx.212 eq citrix-ica
access-list acl_inside permit tcp 10.1.5.0 255.255.255.0 host xxx.xxx.xxx.212 eq citrix-ica
access-list acl_inside permit tcp 10.1.5.0 255.255.255.0 host xxx.xxx.xxx.212 eq www
access-list acl_inside permit tcp 10.1.90.0 255.255.255.0 host xxx.xxx.xxx.212 eq www
access-list acl_inside permit tcp 10.1.90.0 255.255.255.0 host xxx.xxx.xxx.212 eq citrix-ica
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq ftp
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq 5050
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq https
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq ssh
access-list acl_inside permit udp 10.1.1.0 255.255.255.0 any eq ntp
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq 123
access-list acl_inside permit tcp 10.7.34.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list acl_inside permit udp 10.7.34.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list acl_inside permit icmp 10.7.34.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list acl_inside permit icmp host 10.1.1.25 any
access-list acl_inside permit icmp any host 10.1.1.25
access-list acl_inside permit esp xxx.xxx.xxx.0 255.255.255.0 host 10.1.1.25
access-list acl_inside permit ah xxx.xxx.xxx.0 255.255.255.0 host 10.1.1.25
access-list acl_inside permit ip xxx.xxx.xxx.0 255.255.255.0 host 10.1.1.25
access-list acl_inside permit tcp xxx.xxx.xxx.0 255.255.255.0 host 10.1.1.25
access-list acl_inside permit udp xxx.xxx.xxx.0 255.255.255.0 host 10.1.1.25
access-list acl_inside permit udp host 10.1.1.25 xxx.xxx.xxx.0 255.255.255.0
access-list acl_inside permit tcp host 10.1.1.25 xxx.xxx.xxx.0 255.255.255.0
access-list acl_inside permit ip host 10.1.1.25 xxx.xxx.xxx.0 255.255.255.0
access-list acl_inside permit esp host 10.1.1.25 xxx.xxx.xxx.0 255.255.255.0
access-list acl_inside permit ah host 10.1.1.25 xxx.xxx.xxx.0 255.255.255.0
access-list acl_inside permit icmp host 10.1.1.25 xxx.xxx.xxx.0 255.255.255.0
access-list acl_inside permit tcp 10.1.2.0 255.255.255.0 any eq www
access-list acl_inside permit tcp 10.1.2.0 255.255.255.0 any eq https
access-list acl_inside permit tcp 10.1.2.0 255.255.255.0 any eq ftp
access-list acl_inside permit tcp 10.1.2.0 255.255.255.0 any eq ftp-data
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq ftp-data
access-list acl_inside permit tcp 10.1.6.0 255.255.255.0 xxx.xxx.xxx.0 255.255.255.0 eq 10000
access-list acl_inside permit tcp 10.1.6.0 255.255.255.0 xxx.xxx.xxx.0 255.255.255.0 eq citrix-ica
access-list acl_inside permit icmp host 10.1.36.59 any
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq 1863
access-list acl_inside permit tcp host 10.1.36.59 any eq 2100
access-list acl_inside permit tcp host 10.1.6.151 any eq ftp
access-list acl_inside permit tcp host 10.1.6.151 any eq ftp-data
access-list acl_inside permit tcp host 10.1.6.151 any eq https
access-list acl_inside permit tcp host 10.1.6.62 any eq 10000
access-list acl_inside permit tcp host 10.1.6.122 host 12.96.247.99 eq 10000
access-list acl_inside permit icmp host 10.1.1.30 any
access-list acl_inside permit ip host 10.1.1.30 any
access-list acl_inside permit gre host 10.1.1.30 any
access-list acl_inside permit esp host 10.1.1.30 any
access-list acl_inside permit ah host 10.1.1.30 any
access-list acl_inside permit tcp host 10.1.1.2 any eq domain
access-list acl_inside permit udp host 10.1.1.2 any eq domain
access-list acl_inside permit tcp host 10.1.2.3 any eq domain
access-list acl_inside permit udp host 10.1.2.3 any eq domain
access-list acl_inside permit tcp host 10.1.6.1 any eq domain
access-list acl_inside permit udp host 10.1.6.1 any eq domain
access-list acl_inside permit tcp host 10.1.36.2 any eq domain
access-list acl_inside permit udp host 10.1.36.2 any eq domain
access-list acl_inside permit udp host 10.1.41.2 any eq domain
access-list acl_inside permit tcp host 10.1.41.2 any eq domain
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq ftp
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq 5050
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq https
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq ssh
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq 1863
access-list acl_inside permit udp 10.1.80.0 255.255.255.0 any eq 1863
access-list acl_inside permit udp 10.1.80.0 255.255.255.0 any eq ntp
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq 123
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq www
access-list acl_inside permit tcp 10.1.80.0 255.255.255.0 any eq citrix-ica
access-list acl_inside permit tcp 10.1.1.0 255.255.255.0 any eq pop3
access-list acl_inside permit tcp any host 10.1.1.14 eq ssh
access-list acl_inside permit tcp host 10.1.6.53 any eq ftp
access-list acl_inside permit tcp host 10.1.6.53 any eq ftp-data
access-list acl_inside permit tcp host 10.1.6.53 any eq https
access-list acl_inside permit icmp host 10.1.1.20 any
access-list acl_inside permit icmp any host 10.1.1.20
access-list acl_inside permit gre host 10.1.1.20 any
access-list acl_inside permit gre any host 10.1.1.20
access-list acl_inside permit ah host 10.1.1.20 any
access-list acl_inside permit ah any host 10.1.1.20
access-list acl_inside permit esp host 10.1.1.20 any
access-list acl_inside permit esp any host 10.1.1.20
access-list acl_inside permit ip host 10.1.1.20 any
access-list acl_inside permit ip any host 10.1.1.20
access-list acl_dmz1 permit icmp any any
access-list acl_dmz1 permit tcp any any
access-list acl_dmz1 permit udp any any
access-list acl_dmz1 permit ah any any
access-list acl_dmz1 permit esp any any
access-list acl_dmz1 permit icmp 10.4.1.0 255.255.255.0 any
access-list acl_dmz1 permit icmp any 10.4.1.0 255.255.255.0
access-list acl_dmz1 permit ip any 10.4.1.0 255.255.255.0
access-list acl_dmz1 permit ip 10.4.1.0 255.255.255.0 any
access-list pixtosw permit ip 10.1.0.0 255.255.0.0 10.3.1.0 255.255.255.0
access-list pixtosw permit icmp 10.1.0.0 255.255.0.0 10.3.1.0 255.255.255.0
access-list pixtosw permit ip 10.3.1.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list pixtosw permit icmp 10.3.1.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 101 permit ip 10.1.0.0 255.255.0.0 10.4.1.0 255.255.255.0
access-list 101 permit icmp 10.1.0.0 255.255.0.0 10.4.1.0 255.255.255.0
access-list 101 permit icmp 10.4.1.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 101 permit ip 10.4.1.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 101 permit icmp 10.0.2.0 255.255.255.0 10.4.1.0 255.255.255.0
access-list 101 permit icmp 10.4.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 101 permit ip 10.0.2.0 255.255.255.0 10.4.1.0 255.255.255.0
access-list 101 permit ip 10.4.1.0 255.255.255.0 10.0.2.0 255.255.255.0
pager lines 23
logging on
logging timestamp
logging monitor notifications
logging trap notifications
logging facility 22
logging queue 0
logging host inside 10.1.1.20
mtu outside 1500
mtu inside 1500
mtu unused1 1500
mtu dmz1 1500
mtu unused3 1500
mtu VPN 1500
ip address outside xxx.xxx.xxx.130 255.255.255.128
ip address inside 10.1.0.129 255.255.0.0
ip address unused1 127.0.0.1 255.255.255.255
ip address dmz1 10.0.2.129 255.255.255.0
ip address unused3 127.0.0.1 255.255.255.0
no ip address VPN
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.4.1.10-10.4.1.20
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address unused1
no failover ip address dmz1
no failover ip address unused3
no failover ip address VPN
no pdm history enable
arp timeout 60
global (outside) 5 xxx.xxx.xxx.191
global (outside) 6 xxx.xxx.xxx.192
global (outside) 7 xxx.xxx.xxx.193
global (dmz1) 1 interface
nat (inside) 0 access-list 101
nat (inside) 5 10.1.2.2 255.255.255.255 0 0
nat (inside) 5 10.1.2.3 255.255.255.255 0 0
nat (inside) 5 10.1.2.4 255.255.255.255 0 0
nat (inside) 5 10.1.2.5 255.255.255.255 0 0
nat (inside) 5 10.1.2.6 255.255.255.255 0 0
nat (inside) 5 10.1.2.7 255.255.255.255 0 0
nat (inside) 5 10.1.2.8 255.255.255.255 0 0
nat (inside) 5 10.1.2.9 255.255.255.255 0 0
nat (inside) 5 10.1.2.10 255.255.255.255 0 0
nat (inside) 5 10.1.2.11 255.255.255.255 0 0
nat (inside) 5 10.1.2.12 255.255.255.255 0 0
nat (inside) 5 10.1.2.13 255.255.255.255 0 0
nat (inside) 5 10.1.2.14 255.255.255.255 0 0
nat (inside) 5 10.1.2.15 255.255.255.255 0 0
nat (inside) 5 10.1.2.16 255.255.255.255 0 0
nat (inside) 5 10.1.2.17 255.255.255.255 0 0
nat (inside) 5 10.1.2.18 255.255.255.255 0 0
nat (inside) 5 10.1.2.19 255.255.255.255 0 0
nat (inside) 5 10.1.2.20 255.255.255.255 0 0
nat (inside) 5 10.1.2.21 255.255.255.255 0 0
nat (inside) 5 10.1.2.22 255.255.255.255 0 0
nat (inside) 5 10.1.2.23 255.255.255.255 0 0
nat (inside) 5 10.1.2.24 255.255.255.255 0 0
nat (inside) 5 10.1.2.40 255.255.255.255 0 0
nat (inside) 5 10.1.2.41 255.255.255.255 0 0
nat (inside) 5 10.1.2.42 255.255.255.255 0 0
nat (inside) 5 10.1.2.43 255.255.255.255 0 0
nat (inside) 5 10.1.2.44 255.255.255.255 0 0
nat (inside) 6 10.1.6.53 255.255.255.255 0 0
nat (inside) 6 10.1.6.62 255.255.255.255 0 0
nat (inside) 6 10.1.6.122 255.255.255.255 0 0
nat (inside) 6 10.1.6.151 255.255.255.255 0 0
nat (inside) 5 10.1.1.0 255.255.255.0 0 0
nat (inside) 7 10.1.21.0 255.255.255.0 0 0
static (dmz1,outside) xxx.xxx.xxx.143 10.0.2.143 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.140 10.0.2.140 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.144 10.0.2.144 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.141 10.0.2.141 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (inside,outside) xxx.xxx.xxx.154 10.1.6.154 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.145 10.1.1.25 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.159 10.1.36.59 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.142 10.0.2.142 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.146 10.0.2.146 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.147 10.0.2.147 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.137 10.1.1.14 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.148 10.0.2.148 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.138 10.1.1.30 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.136 10.1.1.20 netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
access-group acl_inside in interface inside
access-group acl_dmz1 in interface dmz1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.129 1
route outside 10.3.1.0 255.255.255.0 xxx.xxx.xxx.130 1
route inside 10.7.32.0 255.255.255.0 10.1.2.128 1
route inside 10.7.33.0 255.255.255.0 10.1.2.128 1
route inside 10.7.34.0 255.255.255.0 10.1.2.128 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 10.1.90.2 ************** timeout 10
ntp server 203.21.37.18 source outside
no snmp-server location
no snmp-server contact
snmp-server community ess
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
sysopt noproxyarp dmz1
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map tosonicwall 20 ipsec-isakmp
crypto map tosonicwall 20 match address pixtosw
crypto map tosonicwall 20 set peer xxx.xxx.xxx.xxx
crypto map tosonicwall 20 set transform-set strongsha
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client authentication AuthInbound
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 10.1.1.2 10.1.2.3
vpngroup vpn3000 wins-server 10.1.1.2 10.1.2.3
vpngroup vpn3000 default-domain essvote.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 max-time 86400
vpngroup vpn3000 password ********
telnet timeout 15
ssh 10.1.1.0 255.255.255.0 inside
ssh 10.1.2.0 255.255.255.0 inside
ssh 10.1.90.0 255.255.255.0 inside
ssh 10.1.5.0 255.255.255.0 inside
ssh 10.1.0.0 255.255.255.0 inside
ssh timeout 15
console timeout 0
terminal width 80

 

[ceindaco]

HI:

Have you checked the logs on the Firewall? It seems to me that you have a problem with the access-lists. Remember that the access-lists are applied as inbound to the interface and always the source goes first on the command.

These two rules:

access-list acl_dmz1 permit icmp 10.4.1.0 255.255.255.0 any
access-list acl_dmz1 permit icmp any 10.4.1.0 255.255.255.0


are not needed as you already specified any any on the previous lines.

Assuming that the VPN clients are being seen from the outside none of your rules will allow them full access to the inside. But knowing that you can access the inside I would assume that those client are being seen as from the inside. In that case you need a rule on your access-list inside that reads like this:

access-list acl_inside permit ip host 10.4.1.10 any
access-list acl_inside permit ip host 10.4.1.11 any

and so on, or you can tailor it to your security policies. That way you are not blocking the traffic to the DMZ before it gets there.

This line is also not needed:
access-list acl_dmz1 permit ip 10.4.1.0 255.255.255.0 any

Let us know if that helps or not.

Good luck,
C.

 

[bwilliam13]

Access to the inside network is not the issue. That has ALWAYS worked.

Access to the dmz is the problem. That has never worked...and still doesn't.

 

[ceindaco]

That is correct, but you have implemented access-lists on the inside that screen any traffic going OUT from the inside to the OUTSIDE and DMZ. I am thinking that your acces-list is preventing your VPN clients to go out to the DMZ.

 

[bwilliam13]

Found part of the problem.

You have to have:

nat (interface) 0 access-list 101

for every interface you want the vpn clients to be able to access. I added:

nat (dmz1) 0 access-list 101

And I was able to ping all hosts in the dmz.

However, I'm having problems doing anything else to them (ssh, telnet, ftp, etc). I'm only 5 minutes into debugging it, so I will find the answer. Keep the suggestions coming...I would have given up long ago if it were not for them.

 

[bwilliam13]

Solution is found. This line was the culprit:

static (inside,dmz1) 10.0.0.0 10.0.0.0 netmask 255.255.0.0 0 0

Only hosts addressed as 10.1.x.x reside on the inside interface. So, the line should have read:

static (inside,dmz1) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0

I made this change, and everything works as it should.

Thanks for all the posts.

 

[yizhar]

HI.

> Solution is found.
This is good.
But now it is time to review and refine your access and translation rules. See below.

> access-list acl_dmz1 permit tcp any any
> access-group acl_dmz1 in interface dmz1
> static (inside,dmz1) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0

The above combinations gives full access from dmz1 to inside hosts. This is not the idea of DMZ.

My suggestions are:

1.
> static (inside,dmz1) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
Do not use static for the whole internal network. Instead, use static for only the servers that the dmz1 network should have access to.

2.
Use something like this:
access-list acl_dmz1 permit ???? (Allow access from dmz1 to specific services on inside)
access-list acl_dmz1 deny ip any 10.1.0.0 255.255.0.0 (Block all other dmz1-inside traffic)
access-list acl_dmz1 permit ??? (Allow traffic from dmz1 to the rest of the Internet)

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[bwilliam13]

I've already changed them to allow what I want and disallow what I don't want. I opened them up originally to troubleshoot the VPN problem. They are back to where they are supposed to be, with the VPN client subnet added.