Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations MikeeOK on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

site to site vpn can't access dmz

Status
Not open for further replies.
olson5000

olson5000

MIS
Jun 5, 2002
14
US
Here's my pix config. All of the other devices are getting through to the dmz except for the site to site. Any suggestions?

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxx encrypted
passwd xxx encrypted
hostname xxx
domain-name xxx.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 10.1.1.128 Scanner
name 10.1.1.160 Scanner3
name 10.1.1.252 Temporary
name 192.168.1.30 TSIWeb
name 10.1.1.156 woodstock
name 10.1.1.14 Red_Baron
access-list acl_in permit tcp host 10.1.1.101 any eq 8002
access-list acl_in permit tcp host 10.1.1.85 any eq 8082
access-list acl_in permit tcp host 10.1.1.85 any eq 8080
access-list acl_in permit tcp host 10.1.1.82 any
access-list acl_in permit tcp host 10.1.1.89 any
access-list acl_in permit tcp host 10.1.1.21 any
access-list acl_in permit tcp host 10.1.1.186 any
access-list acl_in permit tcp host 10.1.1.187 any
access-list acl_in permit tcp host 10.1.1.201 any
access-list acl_in permit tcp host 10.1.1.202 any
access-list acl_in permit tcp host 10.1.1.203 any
access-list acl_in permit tcp host 10.1.1.204 any
access-list acl_in permit tcp host 10.1.1.205 any
access-list acl_in permit tcp host 10.1.1.206 any
access-list acl_in permit tcp host 10.1.1.207 any
access-list acl_in permit tcp host 10.1.1.208 any
access-list acl_in permit tcp host 10.1.1.209 any
access-list acl_in permit tcp host 10.1.1.210 any
access-list acl_in permit tcp host 10.1.1.211 any
access-list acl_in permit tcp host 10.1.1.212 any
access-list acl_in permit tcp host 10.1.1.213 any
access-list acl_in permit tcp host 10.1.1.214 any
access-list acl_in permit tcp host 10.1.1.215 any
access-list acl_in permit tcp host 10.1.1.216 any
access-list acl_in permit tcp host 10.1.1.217 any
access-list acl_in permit tcp host 10.1.1.218 any
access-list acl_in permit tcp host 10.1.1.219 any
access-list acl_in permit tcp host 10.1.1.249 any
access-list acl_in permit tcp host 10.1.1.248 any
access-list acl_in permit tcp host 10.1.1.221 any
access-list acl_in permit tcp host 10.1.1.222 any
access-list acl_in permit tcp host 10.1.1.99 any
access-list acl_in permit tcp host 10.1.1.87 any eq www
access-list acl_in permit tcp host 10.1.1.163 any eq 9001
access-list acl_in permit tcp host 10.1.1.163 any eq 7778
access-list acl_in deny udp host 10.1.1.156 any eq 1434
access-list acl_in permit tcp host 10.1.1.33 any eq ftp
access-list acl_in permit tcp host 10.1.1.17 host 192.168.1.30 eq 3306
access-list acl_in permit tcp host 10.1.1.17 host 192.168.1.30 eq www
access-list acl_in permit tcp host 10.1.1.17 host 192.168.1.30 eq ftp
access-list acl_in permit tcp host 10.1.1.14 any
access-list acl_in permit tcp host 10.1.1.106 any
access-list acl_in permit tcp host 10.1.1.138 any
access-list acl_in permit tcp host 10.1.1.96 any
access-list acl_in permit tcp host 10.1.1.232 any
access-list acl_in permit tcp host 10.1.1.160 any
access-list acl_in permit tcp host 10.1.1.88 any
access-list acl_in deny tcp host 10.1.1.75 any
access-list acl_in permit tcp host 10.1.1.14 any eq ftp
access-list acl_in permit tcp host 10.1.1.14 any eq 8080
access-list acl_in permit tcp host 10.1.1.14 any eq 8082
access-list acl_in permit tcp host 10.1.1.14 any eq 2121
access-list acl_in permit tcp host 10.1.1.14 any eq 8000
access-list acl_in permit tcp host 10.1.1.14 any eq 5000
access-list acl_in permit tcp host 10.1.1.14 any range 1200 1210
access-list acl_in permit tcp host 10.1.1.14 any eq 3389
access-list acl_in permit tcp host 10.1.1.100 any eq 1070
access-list acl_in permit tcp host 10.1.1.112 any eq 1070
access-list acl_in permit tcp host 10.1.1.146 any eq 1070
access-list acl_in permit tcp host 10.1.1.146 any eq 8080
access-list acl_in permit tcp host 10.1.1.55 any eq 1070
access-list acl_in permit tcp host 10.1.1.69 any eq telnet
access-list acl_in permit tcp host 10.1.1.84 any eq 3389
access-list acl_in permit tcp host 10.1.1.76 any eq 8080
access-list acl_in permit tcp host 10.1.1.83 any range 1100 1101
access-list acl_in permit tcp host 10.1.1.83 any range 5558 5566
access-list acl_in permit tcp host 10.1.1.83 any eq 9000
access-list acl_in permit tcp host 10.1.1.79 any eq ftp
access-list acl_in permit tcp host 10.1.1.78 any eq ftp
access-list acl_in permit tcp host 10.1.1.77 any eq ftp
access-list acl_in permit tcp host 10.1.1.94 any eq ftp
access-list acl_in permit tcp host 10.1.1.94 any eq telnet
access-list acl_in permit tcp host 10.1.1.94 any eq 8031
access-list acl_in permit tcp host 10.1.1.94 any range 5558 5566
access-list acl_in permit tcp host 10.1.1.94 any range 1100 1101
access-list acl_in permit tcp host 10.1.1.94 any eq 9000
access-list acl_in permit tcp host 10.1.1.94 any
access-list acl_in permit tcp host 10.1.1.59 any eq ftp
access-list acl_in permit tcp host 10.1.1.59 any range 5558 5566
access-list acl_in permit tcp host 10.1.1.59 any range 1100 1101
access-list acl_in permit tcp host 10.1.1.59 any eq 9000
access-list acl_in permit tcp host 10.1.1.37 any eq 5000
access-list acl_in permit tcp host 10.1.1.37 any range 1200 1210
access-list acl_in permit tcp host 10.1.1.111 any eq ftp
access-list acl_in permit tcp host 10.1.1.111 any eq 8001
access-list acl_in permit tcp host 10.1.1.111 any eq citrix-ica
access-list acl_in permit tcp host 10.1.1.111 any eq 1604
access-list acl_in permit tcp host 10.1.1.111 any eq 8080
access-list acl_in permit tcp host 10.1.1.140 any eq 8001
access-list acl_in permit tcp host 10.1.1.140 any eq citrix-ica
access-list acl_in permit tcp host 10.1.1.140 any eq 1604
access-list acl_in permit tcp host 10.1.1.140 any eq 8080
access-list acl_in permit tcp host 10.1.1.105 any eq 9080
access-list acl_in permit tcp host 10.1.1.118 any eq 9080
access-list acl_in permit tcp host 10.1.1.105 any eq 8001
access-list acl_in permit tcp host 10.1.1.118 any eq 8001
access-list acl_in permit tcp host 10.1.1.105 any eq citrix-ica
access-list acl_in permit tcp host 10.1.1.118 any eq citrix-ica
access-list acl_in permit tcp host 10.1.1.105 any eq 1604
access-list acl_in permit tcp host 10.1.1.118 any eq 1604
access-list acl_in permit tcp host 10.1.1.105 any eq 8080
access-list acl_in permit tcp host 10.1.1.118 any eq 8080
access-list acl_in permit tcp host 10.1.1.108 any eq 8001
access-list acl_in permit tcp host 10.1.1.53 any eq 1070
access-list acl_in permit tcp host 10.1.1.36 any eq 1070
access-list acl_in permit tcp host 10.1.1.46 any eq 1070
access-list acl_in permit tcp host 10.1.1.54 any eq 1070
access-list acl_in permit tcp host 10.1.1.123 any eq 1070
access-list acl_in permit tcp host 10.1.1.57 any eq 8080
access-list acl_in permit tcp host 10.1.1.57 any eq 2121
access-list acl_in permit tcp host 10.1.1.57 any eq 8000
access-list acl_in permit tcp host 10.1.1.57 any eq 5000
access-list acl_in permit tcp host 10.1.1.57 any range 1200 1210
access-list acl_in permit tcp host 10.1.1.107 any eq 8080
access-list acl_in permit tcp host 10.1.1.107 any eq 2121
access-list acl_in permit tcp host 10.1.1.107 any eq 8000
access-list acl_in permit tcp host 10.1.1.107 any eq 5000
access-list acl_in permit tcp host 10.1.1.107 any range 1200 1210
access-list acl_in permit tcp host 10.1.1.141 any eq 8080
access-list acl_in permit tcp host 10.1.1.70 any eq 1863
access-list acl_in permit tcp host 10.1.1.74 any eq 1863
access-list acl_in permit tcp host 10.1.1.176 any eq www
access-list acl_in permit tcp host 10.1.1.66 any eq 8001
access-list acl_in permit tcp host 10.1.1.98 any
access-list acl_in permit tcp host 10.1.1.98 any eq 8080
access-list acl_in permit tcp host 10.1.1.98 any eq 8082
access-list acl_in permit tcp host 10.1.1.98 any eq 2121
access-list acl_in permit tcp host 10.1.1.98 any eq 8000
access-list acl_in permit tcp host 10.1.1.98 any eq 5000
access-list acl_in permit tcp host 10.1.1.98 any range 1200 1210
access-list acl_in permit tcp host 10.1.1.89 any eq 8080
access-list acl_in permit tcp host 10.1.1.89 any eq 2121
access-list acl_in permit tcp host 10.1.1.89 any eq 8000
access-list acl_in permit tcp host 10.1.1.89 any eq 5000
access-list acl_in permit tcp host 10.1.1.89 any range 1200 1210
access-list acl_in permit tcp host 10.1.1.18 any eq smtp
access-list acl_in permit tcp host 10.1.1.18 any eq pop3
access-list acl_in permit tcp 10.1.1.0 255.255.255.0 any eq www
access-list acl_in permit tcp 10.1.1.0 255.255.255.0 any eq https
access-list acl_in permit udp 10.1.1.0 255.255.255.0 any eq domain
access-list acl_in permit tcp host 10.1.1.151 any eq 12175
access-list acl_in permit tcp host 10.1.1.170 any eq 12175
access-list acl_in permit tcp host 10.1.1.151 any eq 8999
access-list acl_in permit tcp host 10.1.1.170 any eq 8999
access-list acl_in permit tcp host 10.1.1.151 any eq 8989
access-list acl_in permit tcp host 10.1.1.170 any eq 8989
access-list acl_in permit tcp host 10.1.1.34 any eq 12175
access-list acl_in permit tcp host 10.1.1.34 any eq 8999
access-list acl_in permit tcp host 10.1.1.34 any eq 8989
access-list acl_in permit tcp host 10.1.1.0 host 192.168.1.0
access-list acl_in deny tcp any any range 3127 3198
access-list acl_in deny udp any any eq 1434
access-list acl_in deny tcp any any eq netbios-ssn
access-list acl_in deny tcp any any eq 1034
access-list acl_in deny tcp any any eq 135
access-list acl_in deny tcp any any eq 9996
access-list acl_in deny tcp any any eq 5554
access-list acl_in deny tcp any any eq 445
access-list acl_in deny ip any any
access-list acl_out permit tcp any host xxx.xx.xxx.x eq pop3
access-list acl_out permit tcp any host xxx.xx.xxx.x eq smtp
access-list acl_out permit tcp any host xxx.xx.xxx.x eq www
access-list acl_out deny udp any any eq 1434
access-list acl_out deny udp any any eq 445
access-list acl_out deny tcp any any range 3127 3198
access-list acl_out deny tcp any any eq 9996
access-list acl_out deny tcp any any eq 5554
access-list acl_out deny tcp any any eq 445
access-list acl_out deny tcp any any eq netbios-ssn
access-list acl_out deny tcp any any eq 1034
access-list acl_out deny tcp any any eq 135
access-list acl_out deny tcp any host xxx.xx.xxx.x eq telnet
access-list acl_out permit tcp any host xxx.xx.xxx.x eq ftp
access-list localtovpnclient permit ip 10.1.1.0 255.255.255.0 10.1.127.0 255.255.255.0
access-list localtovpnclient permit ip 10.1.1.0 255.255.255.0 10.7.7.0 255.255.255.0
access-list localtovpnclient permit ip 10.1.1.0 255.255.255.0 10.8.8.0 255.255.255.0
access-list localtovpnclient permit ip 10.1.1.0 255.255.255.0 10.4.4.0 255.255.255.0
access-list localtovpnclient permit ip 10.1.1.0 255.255.255.0 10.5.5.0 255.255.255.0
access-list localtovpnclient permit ip 10.1.1.0 255.255.255.0 10.9.9.0 255.255.255.0
access-list localtovpnclient permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list localtovpnclient permit ip 192.168.1.0 255.255.255.0 10.1.127.0 255.255.255.0
access-list nonatinside permit ip 10.1.1.0 255.255.255.0 10.1.127.0 255.255.255.0
access-list nonatinside permit ip 10.1.1.0 255.255.255.0 10.7.7.0 255.255.255.0
access-list nonatinside permit ip 10.1.1.0 255.255.255.0 10.8.8.0 255.255.255.0
access-list nonatinside permit ip 10.1.1.0 255.255.255.0 10.4.4.0 255.255.255.0
access-list nonatinside permit ip 10.1.1.0 255.255.255.0 10.5.5.0 255.255.255.0
access-list nonatinside permit ip 10.1.1.0 255.255.255.0 10.9.9.0 255.255.255.0
access-list nonatinside permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list nonatinside permit ip 10.1.1.0 255.255.255.0 10.12.12.0 255.255.255.0
access-list nonatdmz permit ip 192.168.1.0 255.255.255.0 10.1.127.0 255.255.255.0
access-list nonatdmz permit ip 192.168.1.0 255.255.255.0 10.12.12.0 255.255.255.0
access-list nonatdmz permit ip 192.168.1.0 255.255.255.0 10.8.8.0 255.255.255.0
access-list nonatdmz permit ip 192.168.1.0 255.255.255.0 10.9.9.0 255.255.255.0
access-list acl_dmz permit tcp host 192.168.1.30 any eq ssh
access-list acl_dmz permit tcp host 192.168.1.30 any eq smtp
access-list acl_dmz permit tcp host 192.168.1.30 any eq ftp
access-list acl_dmz permit tcp host 192.168.1.31 any eq smtp
access-list acl_dmz permit udp host 192.168.1.31 any eq domain
access-list acl_dmz permit tcp host 192.168.1.31 any eq pop3
access-list acl_dmz permit ip host 192.168.1.32 any
access-list acl_dmz permit ip host 192.168.1.31 any
access-list acl_dmz deny ip any any
pager lines 24
logging timestamp
logging buffered warnings
logging trap debugging
logging history debugging
logging facility 23
logging host inside 10.1.1.138
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xx.xxx.x 255.255.255.0
ip address inside 10.1.1.2 255.255.255.0
ip address dmz 192.168.1.1 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclientpool 10.1.127.1-10.1.127.50
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xx.xxx.xx-xxx.xx.xxx.xxx
global (dmz) 1 192.168.1.33-192.168.1.254
nat (inside) 0 access-list nonatinside
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
nat (dmz) 0 access-list nonatdmz
nat (dmz) 1 192.168.1.0 255.255.255.0 0 0
static (dmz,outside) xxx.xx.xxx.x 192.168.1.30 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xx.xxx.x 10.1.1.19 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xx.xxx.x 1
timeout xlate 0:30:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:05:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server redbaron protocol tacacs+
aaa-server redbaron (inside) host 10.1.1.14 xxxxxxxx timeout 10
aaa authentication include tcp/0 inside 10.1.127.0 255.255.255.255 0.0.0.0 0.0.0.0 redbaron
http server enable
http 10.1.1.89 255.255.255.255 inside
http 10.1.1.138 255.255.255.255 inside
http 10.1.1.99 255.255.255.255 inside
http 10.1.1.14 255.255.255.255 inside
http 10.1.1.18 255.255.255.255 inside
http 10.1.1.96 255.255.255.255 inside
http 10.1.1.98 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.1.1.138
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set mytransform esp-3des esp-md5-hmac
crypto dynamic-map mydynmap 10 set transform-set mytransform
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer xxx.xx.xxx.xx
crypto map mymap 10 set transform-set mytransform
crypto map mymap 100 ipsec-isakmp dynamic mydynmap
crypto map mymap client authentication redbaron
crypto map mymap interface outside
isakmp enable outside
isakmp key xxxxxx address xxx.xx.xxx.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpngroup address-pool vpnclientpool
vpngroup vpngroup dns-server 10.1.1.235
vpngroup vpngroup wins-server 10.1.1.18
vpngroup vpngroup default-domain tsi.com
vpngroup vpngroup split-tunnel localtovpnclient
vpngroup vpngroup idle-time 1800
vpngroup vpngroup password xxxxxxxx
telnet 10.1.1.89 255.255.255.255 inside
telnet 10.1.1.138 255.255.255.255 inside
telnet 10.1.1.226 255.255.255.255 inside
telnet 10.1.1.99 255.255.255.255 inside
telnet 10.1.1.96 255.255.255.255 inside
telnet timeout 5
ssh xxx.xx.xxx.x 255.255.255.255 outside
ssh 10.1.1.138 255.255.255.255 inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
 
Sort by date Sort by votes
crypto map mymap 10 match address 100
The match address for the IPSEC references ACL 100 which is not one of your access lists. The DMZ addresses need top be accounted for in the ACL.

You can make your access list much easier to read and manage if you use object-groups.
 
Upvote 0 Downvote
308win,

Sorry, in my haste to post the config I removed a couple of lines. These two lines are in the running config right now.

access-list 100 permit ip 10.1.1.0 255.255.255.0 10.12.12.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 10.12.12.0 255.255.255.0

Does this make any difference?

Thanks.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
890
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
923
intel233
intel233
wrighbr1
  • Locked
  • Question
Cisco ASA 5505 site to site VPN problem
Replies
0
Views
204
wrighbr1
wrighbr1

Part and Inventory Search

Sponsor

Back
Top