Trouble accessing DMZ through VPN.

[ixleplix]

Here is my problem. I have a client based vpngroup named xxxxxxxxx. This works great except that I can’t access any of the machines I have on my DMZ through the VPN. I have a feeling it’s an access-list issue, but for the life of me I can’t seem to find it. Maybe my brain has finally melted. Occupational hazard I guess.

I think I’ve included all of the necessary config commands.
Any help is greatly appreciated.

Oh yeah PIX version 6.3(1)

access-list 210 permit ip vvv.20.1.0 255.255.255.0 yyy.16.23.0 255.255.255.240
access-list 210 permit ip xxx.1.0.0 255.255.0.0 yyy.16.23.0 255.255.255.240
access-list 210 permit ip yyy.0.0.0 255.0.0.0 yyy.16.23.0 255.255.255.240
access-list 210 permit ip zzz.zzz.0.0 255.255.0.0 yyy.16.23.0 255.255.255.240
access-list 210 permit ip yyy.16.23.0 255.255.255.240 vvv.20.1.0 255.255.255.0
access-list 210 remark Lines 6-10 are for xxxxxxxxx VPN Access

access-list dmz100 permit ip vvv.20.1.0 255.255.255.0 yyy.16.23.0 255.255.255.240
access-list dmz100 deny ip vvv.20.1.0 255.255.255.0 zzz.zzz.0.0 255.255.0.0
access-list dmz100 deny ip vvv.20.1.0 255.255.255.0 172.0.0.0 255.0.0.0
access-list dmz100 permit ip vvv.20.1.0 255.255.255.0 any

ip address inside yyy.16.0.101 255.255.0.0
ip address DMZ vvv.20.1.1 255.255.255.0

ip local pool 4thpool yyy.16.23.1-yyy.16.23.12

access-group dmz100 in interface DMZ

vpngroup xxxxxxxxx address-pool 4thpool
vpngroup xxxxxxxxx dns-server yyy.16.0.2
vpngroup xxxxxxxxx wins-server yyy.16.0.2
vpngroup xxxxxxxxx default-domain xxx.xxx.xxx.xxx
vpngroup xxxxxxxxx split-tunnel 210
vpngroup xxxxxxxxx idle-time 1800
vpngroup xxxxxxxxx password ********

 

[ixleplix]

Is anyone out there? Did I not give enough info? Please Help! Maybe I should have titled it PIX VPN??????

1) A robot may not injure a human being or, through inaction, allow a human being to come to harm.

2) A robot must obey orders given it by human beings except where such orders would conflict with the First Law.

3) A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.

 

[ixleplix]

Ok, got it figured out. I'd forgotten to add the

nat (DMZ) 0 access-list 210

command.

Later......

1) A robot may not injure a human being or, through inaction, allow a human being to come to harm.

2) A robot must obey orders given it by human beings except where such orders would conflict with the First Law.

3) A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.

 

[captaintuba]

ixleplix, thanks for posting how you got it figured out.
I just had a similar problem.
I had a picture of the NO-NAT decision being made as traffic left the outside interface.

So I put my permit statements for DMZ1 hosts in my NO-NAT acl. I couldn't figure out why the htcnt wasn't increasing.

Now I reckon if I create a NO-NAT acl for DMZ1 and apply it to the DMZ1 interface - we should be in action:

So instead of this:

access-list 100 permit ip host LAN.LAN.LAN.WW host ISP.ISP.ISP.YY
access-list 100 permit ip host dmz.dmz.dmz.XX host ISP.ISP.ISP.YY
access-list 100 permit ip host dmz.dmz.dmz.XX host ISP.ISP.ISP.YY

nat (inside) 0 access-list 100

I need

access-list 100 permit ip host LAN.LAN.LAN.WW host ISP.ISP.ISP.YY

access-list 200 permit ip host dmz.dmz.dmz.XX host ISP.ISP.ISP.YY
access-list 200 permit ip host dmz.dmz.dmz.XX host ISP.ISP.ISP.YY

nat (inside) 0 access-list 100
nat (dmz1) 0 access-list 200

Thanks
C.T.