site to site VPN accessing DMZ

evildik · Apr 28, 2004

Users from network b cannot access the DMZ net on network a

DMZ - NETWORKA - PIX515 - VPN TUNNEL - PIX506e - NETWORKB

NetworkA IP Subnet = 10.1.1.0 /24
NetworkA DMZ IP Subnet = 10.10.1.0 /24
NetworkB IP Subnet = 10.1.20.0 /24

Pix configuration of PIX515
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list my_dmz permit ip any any
access-list my_dmz permit icmp any any
access-list my_out permit icmp any any
access-list my_out permit tcp any host 1.2.3.440 eq www
access-list my_out permit tcp any host 1.2.3.440 eq ftp-data
access-list my_out permit tcp any host 1.2.3.440 eq ftp
access-list my_out permit tcp any host 1.2.3.441 eq www
access-list my_out permit tcp any host 1.2.3.441 eq ftp-data
access-list my_out permit tcp any host 1.2.3.441 eq ftp
access-list my_out permit tcp any host 1.2.3.442 eq www
access-list my_out permit tcp any host 1.2.3.442 eq ftp-data
access-list my_out permit tcp any host 1.2.3.442 eq ftp
access-list my_out permit tcp any host 1.2.3.440 eq https
access-list my_out permit tcp any host 1.2.3.441 eq https
access-list my_out permit tcp any host 1.2.3.442 eq https
access-list my_out permit udp any any eq isakmp
access-list my_out permit esp any any
access-list my_out permit tcp any 1.2.3.428 255.255.255.128 eq ssh
access-list my_out permit tcp any host 1.2.3.440 eq 3389
access-list my_in permit icmp any any
access-list my_in permit ip any any
access-list vpn_client permit ip 10.1.1.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list vpn_client permit ip 10.3.0.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list vpn_client permit ip 10.1.20.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list vpn_client permit ip 10.1.1.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list vpn_client permit ip 10.100.1.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list vpn_client permit ip 10.100.1.0 255.255.255.0 10.20.1.0 255.255.255.0
access-list vpn_client permit ip 10.100.1.0 255.255.255.0 any
access-list 110 permit ip 10.1.1.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list 110 permit ip 10.100.1.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list vpn-client permit ip 10.1.20.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 140 permit ip 10.1.1.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list 140 permit ip 10.1.1.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list 140 permit ip 10.100.1.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list 140 permit ip 10.1.20.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list 140 permit ip 10.100.1.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list 140 permit ip 10.1.1.0 255.255.255.0 10.10.1.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered notifications
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 1.2.3.430 255.255.255.128
ip address inside 10.1.1.1 255.255.255.0
ip address dmz 10.10.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool my_pool 10.100.1.60-10.100.1.69
pdm history enable
arp timeout 300
global (outside) 1 1.2.3.431
global (dmz) 1 interface
nat (inside) 0 access-list 140
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
static (dmz,outside) 1.2.3.440 10.10.1.10 netmask 255.255.255.255 0 0
static (dmz,outside) 1.2.3.441 10.10.1.11 netmask 255.255.255.255 0 0
static (dmz,outside) 1.2.3.442 10.10.1.12 netmask 255.255.255.255 0 0
static (inside,dmz) 10.10.1.0 10.1.1.0 netmask 255.255.255.0 0 0
access-group my_out in interface outside
access-group my_in in interface inside
access-group my_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 1.2.3.429 1
route inside 10.1.20.0 255.255.255.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.1.236 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
crypto map newmap 10 set peer 1.2.3.4
crypto map newmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 1.2.3.4 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup VPNGROUP address-pool my_pool
vpngroup VPNGROUP dns-server 206.13.29.12 206.13.30.12
vpngroup VPNGROUP wins-server 10.1.1.5
vpngroup VPNGROUP default-domain test.com
vpngroup VPNGROUP split-tunnel 140
vpngroup VPNGROUP idle-time 1800
vpngroup VPNGROUP password ********
telnet 10.0.0.0 255.0.0.0 inside
telnet 10.3.0.2 255.255.255.255 inside
telnet 10.0.0.0 255.255.255.0 dmz
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 dmz
ssh timeout 5
console timeout 0
terminal width 80

Configuration of PIX 506e

PIX Version 6.3(1)
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 100 permit ip 10.1.20.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 permit ip 10.200.1.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list my_out permit icmp any any
access-list my_out permit esp any any
access-list my_out permit udp any any eq isakmp
access-list my_out permit tcp any 1.2.3.4.128 255.255.255.128 eq ssh
access-list my_in permit ip any any
access-list my_in permit icmp any any
access-list ey_out permit tcp any 1.2.3.4.128 255.255.255.128 eq ssh
access-list 110 permit ip 10.200.1.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list 140 permit ip 10.1.20.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 140 permit ip 10.200.1.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list 140 permit ip 10.1.20.0 255.255.255.0 10.200.1.0 255.255.255.0
access-list 140 permit ip 10.200.1.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list 140 permit ip 10.1.20.0 250.255.255.0 10.10.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.4.130 255.255.255.128
ip address inside 10.1.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool my_pool 10.200.1.60-10.200.1.69
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 140
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group my_out in interface outside
access-group my_in in interface inside
route outside 0.0.0.0 0.0.0.0 1.2.3.4.129 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set lazar esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set test
crypto map VPNGROUP 10 ipsec-isakmp
crypto map VPNGROUP 10 match address 100
crypto map VPNGROUP 10 set peer 1.2.3.4
crypto map VPNGROUP 10 set transform-set test
crypto map VPNGROUP 20 ipsec-isakmp dynamic dynmap
crypto map VPNGROUP interface outside
isakmp enable outside
isakmp key ******** address 1.2.3.4 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup VPNGROUP address-pool my_pool
vpngroup VPNGROUP dns-server 206.13.29.12 206.13.30.12
vpngroup VPNGROUP wins-server 10.1.1.5
vpngroup VPNGROUP default-domain test.com
vpngroup VPNGROUP split-tunnel 140
vpngroup VPNGROUP idle-time 1800
vpngroup VPNGROUP password ********
vpngroup VPNGROUP idle-time 1800
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:85fe51a959d8a269230a656a60aef76e

THE VPN Tunnel is working and client access vpn works fine... whats really strange is that from the network B's PIX506e i can ping a host on the dmz zone... but not from a client on network b

Help

evildik · Apr 28, 2004

Im all screwed up in the head need help lol

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

site to site VPN accessing DMZ

evildik

MIS

evildik

MIS

Similar threads

Part and Inventory Search

Sponsor