Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Routing VPN Clients to DMZ on PIX 515E

Status
Not open for further replies.
jrcanfer

jrcanfer

MIS
Joined
Aug 11, 2002
Messages
34
Location
GB
Hi,

Hopefully this will be a nice easy question for someone to answer....I have a PIX 515E runing PIXOS 6.3, supporting a DMZ and IPSEC VPN.

When a VPN client connects they are assigned an address for the 192.168.1.0 /24 subnet and can access the internal 192.168.168.0 /24 subnet. Internal subnet users can access resources in the DMZ (192.168.169.0 /24 subnet) and outside of the network where ACL's permit.

However, VPN clients cannot access resources in the DMZ. When they query internal DNS the IP address returned is 192.168.169.#. But the traffic isn't routing correctly and when the VPN client then tries to route to 192.168.169# it goes straight out into the internet.

If I add an additional host (A) record to DNS with the NAT address of the machine in the DMZ that the VPN client is trying to access, it gets there no problem (after a short delay).

What basic piece of config am I missing?

Thanks
 
Sort by date Sort by votes
It sounds like split tunnelling is enabled since the traffic "goes straight out into the internet." If so, you probably have lines like this:

access-list inside_outbound_nat0_acl permit ip 192.168.168.0 255.255.255.0 192.168.1.0 255.255.255.0

which matches:
vpngroup groupname split-tunnel inside_outbound_nat0_acl

Add another access-list entry permitting traffic from your DMZ to your VPN pool:

access-list inside_outbound_nat0_acl permit ip 192.168.169.0 255.255.255.0 192.168.1.0 255.255.255.0
 
Upvote 0 Downvote
Thanks for the pointers, I've inherited the config of this Firewall from a third party company that used to administer it before I joined the company.

We are indeed using a split-tunnel;

vpngroup DIALINVPN split-tunnel 100

The ACL's that govern the tunnel are;

access-list 100 permit ip 192.168.168.0 255.255.255.0 10.44.52.0 255.255.255.0
access-list 100 permit ip 192.168.168.0 255.255.255.0 192.168.1.0 255.255.255.0
......
access-list 100 permit ip 192.168.171.0 255.255.255.0 192.168.1.0 255.255.255.0

NAT is disabled;

nat (inside) 0 access-list 100

So my reading is that all I need to add is;

access-list 100 permit ip 192.168.169.0 255.255.255.0 192.168.1.0 255.255.255.0

Unfortunately it's still not working though and my ability to test the config is rather limited because it's a Live box!

One other area of concern is that I know the following rule doesn't work;

access-list 100 permit ip 192.168.168.0 255.255.255.0 10.44.52.0 255.255.255.0

10.44.52.0 addresses are at the end of a site to site VPN and I've been told VPN clients cannot route up another VPN tunnel unless we run PIXOS 7. Is this true and could that same issue also have a bearing on the problem I'm having routing traffic from our VPN clients into the DMZ?

Or are they as I suspect two totally separate issues?

Thanks

 
Upvote 0 Downvote
Can you post your config?

For the pix to do hub and spoke VPN so that the spokes can talk to each other, yes you need the hub only as 7x
(this also works for VPN clients as well with a little modification)


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Here's the config, thanks;

: Saved
: Written by enable_15 at 13:48:59.752 UTC Wed Sep 13 2006
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 10baset
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security20
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname mypix
domain-name mydomain.co.uk
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name ........
object-group network Messagelabs
description Tower 2
network-object Messagelabs5 255.255.255.0
network-object Messagelabs3 255.255.224.0
network-object Messagelabs4 255.255.254.0
network-object Messagelabs7 255.255.254.0
network-object Messagelabs1 255.255.224.0
network-object Messagelabs6 255.255.254.0
network-object Messagelabs2 255.255.224.0
network-object Messagelabs8 255.255.248.0
object-group network Exchange
network-object GH-Exchange 255.255.255.255
network-object GH-Exchange_IF2 255.255.255.255
object-group service PCAnywhere tcp
description TCP Ports
port-object eq ssh
port-object eq 5632
port-object eq 65301
port-object eq pcanywhere-data
object-group service PCAnywhereU udp
description UDP
port-object eq pcanywhere-status
object-group network DC
network-object GH-AD01 255.255.255.255
network-object GH-AD02 255.255.255.255
object-group network Attenda
network-object xxx10WEB01 255.255.255.255
network-object xxx10WEB02 255.255.255.255
network-object xxx10WEB05 255.255.255.255
network-object xxx10WEB06 255.255.255.255
network-object xxx10WEB03 255.255.255.255
network-object xxx10WEB0 255.255.255.255
network-object xxx10DBS02 255.255.255.255
network-object xxx10DBS01 255.255.255.255
network-object xxx10DBSCluster 255.255.255.255
network-object xxx10APP01 255.255.255.255
network-object xxx10APP02 255.255.255.255
network-object xxx10AppCluster 255.255.255.255
network-object xxxxxxx-ACTIVE 255.255.255.255
network-object xxx10DBO03 255.255.255.255
object-group network SQL-Access
network-object V3-SQL1 255.255.255.255
network-object V3-DEV03 255.255.255.255
object-group network Mitel
network-object Mitel-ICP 255.255.255.255
network-object Mitel-App 255.255.255.255
object-group network Non_Standard_URL
description Hosts with non standard ports accessed over HTTP by the dev team
network-object Dev_Resource 255.255.255.255
network-object Dev_Resource2 255.255.255.255
access-list inside_access_in permit tcp object-group DC any eq domain
access-list inside_access_in permit udp object-group DC any eq domain
access-list inside_access_in permit tcp 192.168.168.0 255.255.255.0 any eq www
access-list inside_access_in permit tcp 192.168.168.0 255.255.255.0 any eq https
access-list inside_access_in permit tcp 192.168.168.0 255.255.255.0 any eq ftp
access-list inside_access_in permit tcp 192.168.168.0 255.255.255.0 any eq ftp-data
access-list inside_access_in permit tcp 192.168.168.0 255.255.255.0 any eq 3389
access-list inside_access_in permit tcp 192.168.168.0 255.255.255.0 any eq 5900
access-list inside_access_in permit tcp 192.168.168.0 255.255.255.0 any eq 1863
access-list inside_access_in permit tcp 192.168.168.0 255.255.255.0 any object-group PCAnywhere
access-list inside_access_in permit udp 192.168.168.0 255.255.255.0 any object-group PCAnywhereU
access-list inside_access_in permit tcp host GH-Exchange object-group Messagelabs eq smtp
access-list inside_access_in permit tcp host GH-Exchange_IF2 object-group Messagelabs eq smtp
access-list inside_access_in permit ip 192.168.168.0 255.255.255.0 object-group Attenda
access-list inside_access_in permit tcp 192.168.168.0 255.255.255.0 any eq pop3
access-list inside_access_in permit icmp 192.168.168.0 255.255.255.0 any
access-list inside_access_in permit tcp 192.168.168.0 255.255.255.0 object-group SQL-Access eq 1433
access-list inside_access_in permit tcp 192.168.168.0 255.255.255.0 object-group SQL-Access eq 1434
access-list inside_access_in permit tcp 192.168.168.0 255.255.255.0 host Dev_Resource eq 6500
access-list inside_access_in permit tcp 192.168.168.0 255.255.255.0 host Dev_Resource2 eq 82
access-list inside_access_in permit tcp host GH-Blackberry host srp.eu.blackberry.net eq 3101
access-list inside_access_in permit tcp 192.168.168.0 255.255.255.0 host LaserScan eq sqlnet
access-list inside_access_in permit tcp 192.168.168.0 255.255.255.0 any eq 465
access-list outside_access_in permit tcp any host xxx.yyy.zzz.7 eq www
access-list outside_access_in permit tcp any host xxx.yyy.zzz.8 eq www
access-list outside_access_in permit tcp any host xxx.yyy.zzz.7 eq https
access-list outside_access_in permit tcp any host xxx.yyy.zzz.8 eq https
access-list outside_access_in permit tcp object-group Messagelabs host xxx.yyy.zzz.4 eq smtp
access-list outside_access_in permit tcp object-group Messagelabs host xxx.yyy.zzz.5 eq smtp
access-list outside_access_in permit tcp any host xxx.yyy.zzz.9 eq 3389
access-list outside_access_in permit tcp any host xxx.yyy.zzz.9 eq www
access-list outside_access_in permit tcp any host xxx.yyy.zzz.9 eq https
access-list outside_access_in permit tcp any host xxx.yyy.zzz.3 eq 3101
access-list outside_access_in permit tcp any host xxx.yyy.zzz.10 eq 3389
access-list outside_access_in permit tcp any host xxx.yyy.zzz.10 eq www
access-list outside_access_in permit tcp any host xxx.yyy.zzz.10 eq https
access-list outside_access_in permit icmp host xxx10DBS01 host GH-Accounts
access-list outside_access_in permit tcp 192.168.1.0 255.255.255.0 object-group Mitel eq www
access-list outside_access_in permit tcp 192.168.1.0 255.255.255.0 object-group Mitel eq https
access-list outside_access_in permit tcp 192.168.1.0 255.255.255.0 host Mitel-App eq 3389
access-list outside_access_in permit tcp 192.168.1.0 255.255.255.0 host Mitel-App eq 5900
access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 any
access-list 80 permit ip 192.168.168.0 255.255.255.0 10.44.52.0 255.255.255.0
access-list 90 permit ip host 192.168.168.47 host aaa.bbb.ccc.170
access-list 90 permit ip host V3-AD_Int host host aaa.bbb.ccc.170
access-list 90 permit ip host 192.168.168.47 host host aaa.bbb.ccc.169
access-list 90 permit ip host V3-AD_Int host host aaa.bbb.ccc.169
access-list 90 permit ip host V3-EA host host aaa.bbb.ccc.169
access-list 90 permit ip host V3-EA host host aaa.bbb.ccc.170
access-list 100 permit ip 192.168.168.0 255.255.255.0 10.44.52.0 255.255.255.0
access-list 100 permit ip 192.168.168.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 100 permit ip host 192.168.168.47 host host aaa.bbb.ccc.170
access-list 100 permit ip host V3-AD_Int host host aaa.bbb.ccc.170
access-list 100 permit ip host 192.168.168.47 host host aaa.bbb.ccc.169
access-list 100 permit ip host V3-AD_Int host host aaa.bbb.ccc.169
access-list 100 permit ip 192.168.171.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list dmz1_access_in permit icmp any any
access-list dmz1_access_in permit ip any any
access-list 95 permit ip host V3-AD host aaa.bbb.ccc.170
access-list 95 permit ip host aaa.bbb.ccc.170 host V3-AD
access-list NO-NAT-DMZ1 permit ip host V3-AD 192.168.46.0 255.255.255.0
access-list NO-NAT-DMZ1 permit ip host V3-WEB 192.168.46.0 255.255.255.0
access-list NO-NAT-DMZ1 permit ip host V3-EA host aaa.bbb.ccc.169
access-list NO-NAT-DMZ1 permit ip host V3-EA host aaa.bbb.ccc.170
access-list LAND-REG permit ip host V3-AD 192.168.46.0 255.255.255.0
access-list LAND-REG permit ip host V3-WEB 192.168.46.0 255.255.255.0
access-list LAND-REG permit ip host V3-WEB 192.168.38.240 255.255.255.240
access-list LAND-REG permit ip host V3-AD 192.168.38.240 255.255.255.240
pager lines 24
logging on
logging timestamp
logging standby
logging buffered debugging
logging trap warnings
logging history informational
logging facility 17
logging host inside GH-storage
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
ip address outside xxx.yyy.zzz.3 255.255.255.240
ip address inside 192.168.168.1 255.255.255.0
ip address dmz1 192.168.169.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool DIALINCLIENTS 192.168.1.1-192.168.1.254
pdm logging errors 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz1) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 0 access-list NO-NAT-DMZ1
nat (dmz1) 1 192.168.169.0 255.255.255.0 0 0
static (inside,outside) tcp interface 3101 GH-Blackberry 3101 netmask 255.255.255.255 0 0
static (inside,outside) xxx.yyy.zzz.4 GH-Exchange netmask 255.255.255.255 0 0
static (inside,outside) xxx.yyy.zzz.5 GH-Exchange_IF2 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.yyy.zzz.7 V3-GEOMAPSTAG netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.yyy.zzz.8 V3-WEB netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.yyy.zzz.9 V3-EA netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.yyy.zzz.10 V3-DEV03 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz1_access_in in interface dmz1
route outside 0.0.0.0 0.0.0.0 xxx.yyy.zzz.2 1
route inside 192.168.171.0 255.255.255.0 192.168.168.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.168.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set attendavpn esp-des esp-sha-hmac
crypto ipsec transform-set DIALINCLIENTS esp-des esp-md5-hmac
crypto ipsec transform-set mdavpn esp-des esp-sha-hmac
crypto ipsec transform-set LAND-REG esp-3des esp-md5-hmac
crypto dynamic-map dynomap 90 set transform-set DIALINCLIENTS
crypto map attenda 10 ipsec-isakmp
crypto map attenda 10 match address 80
crypto map attenda 10 set peer 217.64.225.49
crypto map attenda 10 set transform-set attendavpn
crypto map attenda 20 ipsec-isakmp
crypto map attenda 20 match address 90
crypto map attenda 20 set peer 213.212.66.4
crypto map attenda 20 set transform-set mdavpn
crypto map attenda 30 ipsec-isakmp
crypto map attenda 30 match address LAND-REG
crypto map attenda 30 set peer 194.73.100.121
crypto map attenda 30 set transform-set LAND-REG
crypto map attenda 90 ipsec-isakmp dynamic dynomap
crypto map attenda client configuration address initiate
crypto map attenda interface outside
isakmp enable outside
isakmp key xxxxxxxxxxxxxxxx address 217.64.225.49 netmask 255.255.255.255
isakmp key xxxxxxxxxxxxxxxx address 213.212.66.4 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key xxxxxxxxxxxxxxxx address 194.73.100.121 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 6 authentication pre-share
isakmp policy 6 encryption des
isakmp policy 6 hash sha
isakmp policy 6 group 1
isakmp policy 6 lifetime 86400
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash md5
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 100 authentication pre-share
isakmp policy 100 encryption des
isakmp policy 100 hash md5
isakmp policy 100 group 2
isakmp policy 100 lifetime 86400
vpngroup DIALINVPN address-pool DIALINCLIENTS
vpngroup DIALINVPN dns-server GH-AD01 GH-AD02
vpngroup DIALINVPN wins-server GH-AD01 GH-AD02
vpngroup DIALINVPN default-domain mydomain.co.uk
vpngroup DIALINVPN split-tunnel 100
vpngroup DIALINVPN idle-time 1800
vpngroup DIALINVPN password xxxxxxxxxx
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.168.0 255.255.255.0 inside
telnet timeout 5
console timeout 0
terminal width 80
Cryptochecksum:b518ea7fde5f72aae0e098a9049b46a5
: end
 
Upvote 0 Downvote
so adding this line should be correct
access-list 100 permit ip 192.168.169.0 255.255.255.0 192.168.1.0 255.255.255.0

It might be your inside ACL, add a line so all IP traffic goes out to the DMZ unrestricted and see if that fixes it (after hours as a test only)

Something tells me you might have to alter your DMZ no-nat rule as well, but try the above as well.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
1K
Johnkite
Johnkite
intel233
  • Locked
  • Question Question
Cisco ASA - VPN Question
Replies
6
Views
1K
intel233
intel233
ISDPCMAN
  • Locked
  • Question Question
RDP fails over VPN
Replies
1
Views
523
gkittelson
gkittelson
Shmid
  • Locked
  • Question Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top