Re: VPN/DMZ problem

[Chris Myers <clmmacunix () charter net>]

Hi Ian,

	What is the revision you are running? If 6.3 then make sure that  
there is a 'nat 0 access-list nonat' .  This matches the ACL/ACLS  
below depending on how many you need to build for nonat. You need a  
nat 0 statement above for each interface matching the nonat access- 
list. If this is 6.3 then will have to work with the nat 0 nonat and  
nat <interface> 1 0.0.0.0 0.0.0.0 to make sure the regular traffic can  
still get to where it needs to go i.e. the internet.  If it is 7.x and  
above then you have several choices many of which are the same here if  
you choose to have nat control turned on (off by default) and the  
sysopt permit-ipsec on or off. If you choose to have it on, then the  
configuration is the same as 6.3. If you have it off then you need  
ACLS on the outside interface for incoming traffic. One last note,  
don't forget ACLS on the ingress inside interfaces if you want bi- 
directional traffic.

access-list nonat permit ip <dmz subnet>  150.150.62.0  
255.255.255.0    - and so on




Chris Myers
clmmacunix () charter net

John 1:17
For the Law was given through Moses; grace and truth were realized  
through Jesus Christ.

   Go Vols!!!!

On Sep 2, 2008, at 5:06 AM, Ian Rarity wrote:

> Hi,
>
> We're having a problem with our VPN; we have a PIX 515E with 4
> interfaces:
>
> Inside (security100) - Our internal LAN, 150.150.10.0/24
> Outside (security0) - The Internet
> Perimeter (security50) - DMZ, 172.16.1.0/24
> Innerperimeter (security75) - "Inner" DMZ, 150.150.11.0/24
>
> The VPN is a certificate/token-based set up, with VPN users being
> assigned addresses from 150.150.62.0/24 (don't ask me about the weird
> addressing scheme; it was like that when I got here).
>
> The problem we're having is that VPN users can't access hosts in  
> either
> of the DMZs, although they can see LAN hosts just fine.  I'm assuming
> that this is because the VPN traffic is coming in through the PIX's
> "outside" interface, and the usual rule about traffic from interfaces
> with a lower security level going to an interface with a higher one is
> applying.
>
> I've tried to override this with another access list, by "nat 0"-ing
> the two DMZ interfaces, but external VPN users still can't see hosts  
> in
> the DMZs.  Obviously I'm screwing up somewhere, but I'd be very  
> grateful
> if someone could tell me how.
>
> Ta,
> IR.
>
>
> *******************************************************************
> Private and Confidential:  This e-mail transmission is strictly
> confidential and intended solely for the addressee.  It may contain
> privileged and confidential information and if you are not the
> intended recipient, you must not copy, disclose, distribute or
> take any action in reliance on it. If you have received this
> e-mail in error, please delete it and notify our E-mail Systems
> Administrator on +44 (0) 131 624 8000. ESPC (UK) Ltd does not
> accept any liability for any harm that may be caused to the
> recipient's system or data by this message or any attachment.
>
> ESPC (UK) Ltd is a company registered under the Companies
> Acts in Scotland (Registered Number SC203535), and having its
> registered office at 90A George Street, Edinburgh, Midlothian
> EH2 3DF.
>
> ESPC (UK) Limited is authorised and regulated by the Financial
> Services Authority.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards