PIX VPN access to DMZ

[JCasale]

I have been banging my head over this for a couple days. I can make this work when I add ipsec pl-compatible but I have many vpn groups with very specific access and need to use ACL's. Can someone elaborate on what the steps to make this work are?

I have the following:
inside 192.168.0.1/24
dmz1 192.168.1.0/24 (vlan 1)
dmz2 192.168.2.0/24 (vlan 2)
outside dhcp

I am trying to allow tcp ports 22/80/5550/5555 from a vpn group over to dmz2. The ip pool is 192.168.0.208-214.

Thanks!
jlc

 

[watchguardmonkey]

Hi,

Think you need a acl something like this, only with your required ip's and ports;

access-list outside_1_cryptomap extended permit ip 192.168.27.48 255.255.255.240 10.0.1.0 255.255.255.0

cheers,

WGM

 

[JCasale]

I have that, still no success

Thanks,
jlc

 

[Supergrrover]

Take a look at this doc -

http://www.cisco.com/en/US/products...s_configuration_example09186a00806a5cea.shtml

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[JCasale]

Thank you very much for the pointer. I should have mentioned I was using PIX 6.3.5 but I will try and see if I can glean the approach and then mangle the code myself.

Thanks again!
jlc

 

[Supergrrover]

If you already have the VPN up and running all you will need is the ACLs setup from that doc. They define the interesting traffic and what to exempt from natting.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[JCasale]

Finally got it, that doc got the ball rolling on some other errors in ACL's I missed.

Thank you very much for the help.
jlc