Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Properly aliasing DMZ address for VPN connections?

Status
Not open for further replies.
rreed

rreed

MIS
Aug 9, 2002
3
US
I have a PIX-515E (v6.22) and I need to have my VPN connections see my DMZ like everything else does.
The outside world sees them as their aliased addresses and the inside network also sees them as their aliased addresses.
Any VPN connections see them as their litterally assigned IP addresses.
My alias commands are like this:

alias (inside) outside.world.ip.address literally.assigned.ip.address 255.255.255.255

Outside world and internal network sees DMZ machines as outside.world.ip.address but VPN connections see them as literally.assigned.ip.address

How do I configure to make VPN connections see them as outside.world.ip.address?
 
Sort by date Sort by votes
I removed the "nat (optional) 0 access-list nonat" from my config, no VPN connections cannot see the DMZ at all.

That's the closest thing in my config to what you're talking about.

Before I did that I changed my alias commands to look like:

alias outside.world.ip.address literally.assigned.ip.address 255.255.255.255

By removing the "(inside)" keyword. That didn't seem to make any difference to anything.
 
Upvote 0 Downvote
HI.

> I removed the "nat (optional) 0 access-list nonat" from my config,

Are you using "split-tunnel"?
If so, then you need to edit the split tunnel access-list, to include the external addresses of the servers.

Or try without split-tunnel first.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
I replaced the nat (optional) 0 access-list nonat command and VPNers can see the DMZ by literally assigned addresses again.

No split tunneling here, VPN users cannot get to the Internet while they're connected.

Is there a possibility I have DNS doctoring going on here? I'm fairly new to Cisco PIX but I have a couple Cisco Press PIX books, and am somewhat confused on how they describe DNS doctoring.

VPNers can ping DMZ hosts by either IP; litterally assigned or aliased. If I ping them by name they get DNS translated to literally assigned IPs. I've checked and VPN is using Internal DNS servers which I'm quite certain point to their aliased addresses. But as mentioned VPNers ping dmzhost.domain.com it mysteriously returns their literal address.

My statics are (briefly):

static (optional,outside) outside.world.ip.address literal.assigned.ip.address netmask 255.255.255.255 0 0
static (inside,optional) dmz.assigned.ip.address inside.assigned.ip.address netmask 255.255.255.255 0 0
static (inside,outside) outside.world.ip.address inside.assigned.ip.address netmask 255.255.255.255 0 0

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
732
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
619
Johnkite
Johnkite
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
754
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
166
WhosYourDiffie
WhosYourDiffie
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
556
XLNTech1
XLNTech1

Part and Inventory Search

Sponsor

Back
Top