VPN access to DMZ?

veral · Jul 7, 2005

My VPN config allows me to access the internal network freely.

Is it possible to access the DMZ from there? If so, how?

Thx

jjoh850 · Jul 8, 2005

Veral,

If you are using split tunneling, did you add a route to your DMZ in your split tunnel ACL? If your inside subnet is being NAT/PATed, did you add a line to your NAT 0 ACL permitting the VPN pool to DMZ? If you don't know how to do/check these please post your config.

Joe

veral · Jul 11, 2005

Hiyas,

I believe this is all that's relevant. Thanks in advance =)

: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_access_in remark ftp access to DMZ
access-list outside_access_in permit tcp any xxx.xxx.xxx.0 255.255.255.0 eq ftp
access-list outside_access_in remark ftp-data access to DMZ
access-list outside_access_in permit tcp any xxx.xxx.xxx.0 255.255.255.0 eq ftp-data
access-list outside_access_in remark smtp access to all DMZ IPs
access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in remark http access to all DMZ IPs
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in remark https access to all DMZ IPs
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in remark urchin access to all DMZ IPs
access-list outside_access_in permit tcp any any eq 9999
access-list outside_access_in remark FDE access to DMZ from alton towers
access-list outside_access_in permit tcp any xxx.xxx.xxx.0 255.255.255.0 eq 8500
access-list outside_access_in remark terminal services access to DMZ
access-list outside_access_in permit tcp any xxx.xxx.xxx.0 255.255.255.0 eq 3389
access-list outside_access_in remark icmp anywhere
access-list outside_access_in permit icmp any any

access-list dmz_access_in remark outbound for dmz
access-list dmz_access_in permit ip any any
access-list bob_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list bob_splitTunnelAcl_1 permit ip any any
access-list dmz_nat0_outbound permit ip any 192.168.1.48 255.255.255.240
pager lines 24
icmp permit any outside
icmp permit any inside
icmp permit any dmz
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.xxx.221 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.1.50-192.168.1.60
pdm location 192.168.2.194 255.255.255.255 dmz
pdm location 192.168.2.200 255.255.255.255 dmz
pdm location 192.168.2.195 255.255.255.255 dmz
pdm location 192.168.2.196 255.255.255.255 dmz
pdm location 192.168.2.197 255.255.255.255 dmz
pdm location 192.168.2.198 255.255.255.255 dmz
pdm location 192.168.2.199 255.255.255.255 dmz
pdm location 192.168.2.201 255.255.255.255 dmz
pdm location 192.168.2.202 255.255.255.255 dmz
pdm location 192.168.2.203 255.255.255.255 dmz
pdm location 192.168.2.207 255.255.255.255 dmz
pdm location 192.168.2.208 255.255.255.255 dmz
pdm location 192.168.2.209 255.255.255.255 dmz
pdm location 192.168.2.210 255.255.255.255 dmz
pdm location 192.168.2.211 255.255.255.255 dmz
pdm location 192.168.2.212 255.255.255.255 dmz
pdm location 192.168.2.213 255.255.255.255 dmz
pdm location 192.168.2.214 255.255.255.255 dmz
pdm location 192.168.2.217 255.255.255.255 dmz
pdm location 192.168.2.218 255.255.255.255 dmz
pdm location 192.168.2.219 255.255.255.255 dmz
pdm location 192.168.2.220 255.255.255.255 dmz
pdm location 192.168.2.222 255.255.255.255 dmz
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 192.168.2.50-192.168.2.60
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) xxx.xxx.xxx.194 192.168.2.194 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.200 192.168.2.200 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.201 192.168.2.201 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.202 192.168.2.202 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.208 192.168.2.208 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.222 192.168.2.222 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.207 192.168.2.207 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.210 192.168.2.210 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.214 192.168.2.214 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.195 192.168.2.195 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.211 192.168.2.211 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.212 192.168.2.212 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.209 192.168.2.209 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.213 192.168.2.213 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.197 192.168.2.197 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.196 192.168.2.196 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.198 192.168.2.198 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.199 192.168.2.199 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.218 192.168.2.218 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.219 192.168.2.219 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.203 192.168.2.203 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.217 192.168.2.217 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.220 192.168.2.220 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup bob address-pool vpnpool
vpngroup bob dns-server yyy.yyy.yyy.10 yyy.yyy.yyy.70
vpngroup bob default-domain
vpngroup bob split-tunnel _splitTunnelAcl
vpngroup bob idle-time 1800
vpngroup bob password ********
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0

: end

jjoh850 · Jul 12, 2005

Try adding the following:

access-list bob_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
! adds a route on the VPN client to the DMZ subnet

Your NAT 0 ACL doesn't need to be changed because it matches any traffic going to your VPN client address pool.

Let us know how it works.

Joe

veral · Jul 14, 2005

That works great - thanks =)

One more question ...

I know that the Pix doesn't like traffic going from the DMZ to the External interface (e.g. if a machine has 192.168.2.100, and then points to it's external internet interface xxx.xxx.xxx.100), is there a way to allow such a request?

Or do I need to rebuild the DMZ DNS server so all such requests to xxx.xxx.xxx.100 are sent instead to 192.168.2.100 - if you see what I mean.

Thanks again

jjoh850 · Jul 14, 2005

I don't understand what you're asking. Hosts on the DMZ should be able to access anything on the outside interface (i.e. Internet) if they initiate the traffic. This is because the security level of the DMZ is greater than the outside.

If you're talking about having a public IP on the outside be mapped to your DMZ IP then yes, this is possible and not very difficult to do. In fact you're doing it with many IPs with your "static" commands in your config. No server rebuild is necessary, add the static mapping commands and allow DNS to your DNS server's outside IP address in the outside_access_in ACL.

lgarner · Jul 15, 2005

I think I understand, and the answer is "no". A server on the DMZ cannot reference itself, or any other DMZ computer, by ther "outside" addresses.

The rule is that a packet will not exit the interface on which it arrives. It can be a pain.

Generally, I suggest using DNS names instead. If you use your ISP's DNS server, then the DNS aliasing will handle it (but you need all your servers in the public DNS). Better, set up your own DNS server with names resolving to the internal addresses, then use your ISP's server for just your public servers.

veral · Jul 15, 2005

Thanks all, you've been very helpful =)

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

VPN access to DMZ?

veral

Technical User

jjoh850

ISP

veral

Technical User

jjoh850

ISP

veral

Technical User

jjoh850

ISP

lgarner

IS-IT--Management

veral

Technical User

Similar threads

Part and Inventory Search

Sponsor