503 dmz+vpn issues

503 dmz+vpn issues
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
503 dmz+vpn issues Sako 12-14-2005
Posted by Sako on December 14, 2005, 11:19 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I gents I have a vpn tunnel in one of the PIX wich is working
propperly.
The fact is the vpn connections can get tru the inside interface ,
but they don't see the dmz . This is my configuration:
access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.5.0
255.255.255.0
access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.5.0
255.255.255.0
access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.3.0
255.255.255.0
access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.3.0
255.255.255.0
access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.6.0
255.255.255.0
access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.6.0
255.255.255.0
access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.4.0
255.255.255.0
access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.4.0
255.255.255.0
access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0

ip address outside 10.200.100.253 255.255.0.0
ip address inside 192.168.1.1 255.255.255.0
ip address intf2 192.168.20.1 255.255.255.0
global (outside) 1 interface
global (intf2) 1 interface
nat (inside) 0 access-list nonat_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.200.100.250 1
route outside XX.XX.XX.XX 255.255.255.255 10.200.100.190

Does NAT cut the traffic ? do I have to make a special rule for the
incoming vpn connections ?
now the access-list for those connections look like this

access-list remote_acl permit ip 192.168.1.0 255.255.255.0 192.168.5.0
255.255.255.0
access-list remote_acl permit icmp 192.168.1.0 255.255.255.0
192.168.5.0 255.255.255.0

So , will it be enough to add a line with the dmz ip address ?

Thanks for any help you can provide me .


Similar ThreadsPosted
PIX DMZ issues December 3, 2004, 5:02 pm
PIX 501 Issues February 18, 2005, 9:22 am
NBX 100 Issues March 21, 2005, 12:17 pm
503 dmz+vpn issues December 14, 2005, 11:19 am
NAT issues March 12, 2007, 9:29 pm
VPN Issues on 837 March 23, 2007, 9:08 am
ASA OS QA issues?? May 30, 2007, 1:18 pm
BGP issues June 27, 2008, 3:59 pm
argh!!! more acl issues August 16, 2004, 4:46 pm
Serious Cisco issues August 19, 2004, 3:39 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map