VPN Concentrator in the DMZ for VPN clients

[DrGreen26]

Has anyone setup a VPN concentrator with the privvate connection going to the DMZ on a pix firewall. Allowing vpn clients to access both internal private lan and the internet once they are logged in?

Thanks In Advance

Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[themut]

Sure it works flawlessly. You need to configure static translations for the inside hosts that will be accessed from the VPN clients with their corresponding ACLs applied to the DMZ.
You also need to configure nat (dmz)... statements for the pools assigned to the vpn clients with its corresponding global (outside) ... command so they can access the Internet. Make sure the pool(s) of IP addresses assigned to the VPN clients is an unused subnet in your network.

 

[DrGreen26]

This is what I have setup in my pix for nat translations:

nat (dmz) 1 192.168.202.0 255.255.255.0 0 0

static (inside, dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 which allows access to my internal network.

static (dmz, outside) 192.168.202.0 192.168.202.0 netmask 255.255.255.0 0 0

I attempted to access the internet after putting in the second nat statment, however, I did not do a clear xlate..

but when I attempted to access the internet I got a Deny tcp src dmz: 192.168.202.1 dst inside: 10.15.200.31 (dns) "dmz"



Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[themut]

Your static translation only allows access to subnet 10.0.0.0 but host 10.15.200.31 is not part of that subnet. You need a static translation for the 10.15.200.31 host and an access list applied to the dmz allowing access from 192.168.202.0 to host 10.15.200.31 and of course you need the command:

global (outside) 1 interface

 

[DrGreen26]

Oh yeah, I do have an access list that is for the subnet to access any subnet. WHen I connect I can get to everything internally including internal web servers.

Just the issue I am having is getting out to the internet

access-list dmz permit ip 192.168.202.0 255.255.255.0 any

and I did double check this one

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0 was correct I must have fat fingered it in the earlier post.

and I do have the following:

global (outside) 1 interface
global (dmz) 1 192.168.0.3

Thanks Again...somethign more for me to learn..

Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[themut]

Well the PIX is denying access to your internal DNS server 10.15.200.31:

Deny tcp src dmz: 192.168.202.1 dst inside: 10.15.200.31 (dns) "dmz"

This is because your ACL is not permiting this traffic so your DNS querries are denied therefore you're not able to access the websites. Are you able to access the websites by IP address? Open a web browser and enter the following ip address on the address bar:

http://198.133.219.25

You should be able to access Cisco's website

 

[DrGreen26]

I treid accessing the web page using just an IP address and no luck...will not get there...

Yeah, neither one works...same error message too..

I dont know why but the acl specifically allows that subnet full access to all networks...

access-lsit dmz permit ip 192.168.202.0 255.255.255.0 any


so out or in it should get there..

Thanks for trying to work with me on this...I appreciate it much.



Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.