Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

DMZ Routing traffic to VPN Hardware Client

Posted on 2004-04-08
9
Medium Priority
?
389 Views
Last Modified: 2013-11-16
I have a Cisco Pix 515e. i thought i had this problem whipped when i was able to get my internal hosts to access my websvr in the dmz. However, i also have a hardware vpn client hanging off the dmz.  

Remote                        Public IP for                Private IP                       PIX                             PIX
Site                            Hardware Client          Hardware Client             DMZ Inside                   Inside
172.16.2.x----------------20x.xxx.xxx.xx3 <---->10.60.4.2<--------------->10.60.4.1<----------->10.5.5.1

I added a route statement as follows   route dmz 172.16.2.0 255.255.255.0 10.60.4.2 1

I can ping the remote site 172.16.2.1 ok from the pix, but i cannot ping it from the inside.  I can ping a server in my dmz and access it so i know communications to the 10.60.4.x network is ok.  

I have this for my DMZ access-list.   The reason for the static is that the server located on the 172.16.2.x network see's our network printers as a 10.60.4.x IP, so i have all those IP's being translated to the appropriate IP on the inside.

access-list acl_dmz_in; 17 elements
access-list acl_dmz_in line 1 permit ip 172.16.2.0 255.255.255.0 10.5.5.0 255.255.255.0 (hitcnt=0)
access-list acl_dmz_in line 2 permit ip 172.16.2.0 255.255.255.0 10.60.4.0 255.255.255.0 (hitcnt=0)
access-list acl_dmz_in line 3 permit icmp any any echo-reply (hitcnt=12)
access-list acl_dmz_in line 4 permit icmp any any (hitcnt=170)
access-list acl_dmz_in line 5 permit ip host 10.60.4.10 host 10.5.5.230 (hitcnt=25)
access-list acl_dmz_in line 6 permit ip host 10.60.4.11 host 10.5.5.231 (hitcnt=0)
access-list acl_dmz_in line 7 permit ip host 10.60.4.12 host 10.5.5.232 (hitcnt=0)
access-list acl_dmz_in line 8 permit ip host 10.60.4.13 host 10.5.5.236 (hitcnt=0)
access-list acl_dmz_in line 9 permit ip host 10.60.4.14 host 10.5.5.237 (hitcnt=0)
access-list acl_dmz_in line 10 permit ip host 10.60.4.15 host 10.5.5.238 (hitcnt=0)
access-list acl_dmz_in line 11 permit ip host 10.60.4.16 host 10.5.5.242 (hitcnt=0)
access-list acl_dmz_in line 12 permit ip host 10.60.4.17 host 10.5.5.243 (hitcnt=0)
access-list acl_dmz_in line 13 permit ip host 10.60.4.18 host 10.5.5.244 (hitcnt=0)
access-list acl_dmz_in line 14 permit ip host 10.60.4.19 host 10.5.5.246 (hitcnt=0)
access-list acl_dmz_in line 15 permit ip host 10.60.4.20 host 10.5.5.247 (hitcnt=0)
access-list acl_dmz_in line 16 permit ip host 10.60.4.22 host 10.5.5.241 (hitcnt=0)
access-list acl_dmz_in line 17 permit ip host 10.60.4.23 host 10.5.5.248 (hitcnt=0)

Here are my global's

global (outside) 1 2xx.xx.xx.30 netmask 255.255.255.224
global (outside) 2 2xx.xx.xx.29 netmask 255.255.255.224

Here are my NAT statements

nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 2 10.60.4.0 255.255.255.0 0 0
0
Comment
Question by:rolltide_bama
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 

Author Comment

by:rolltide_bama
ID: 10788664
I forgot to add it's just not an icmp problem, i cannot telnet to that ip either....
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10790906
Sounds more like a routing issue. Does the hardware client know about the 10.5.5.0 network?
Perhaps you can nat traffic to the 172.16.2.0 to that it appears as though it is from the 10.60.4.0 subnet:

global(dmz) 3 interface

remove any nonat access-list lines that include the 172.16.2.0 network

0
 

Author Comment

by:rolltide_bama
ID: 10790982
The hardware client knows about the 10.60.4.x network because that's its inside.  The Pix should be able to hit the 10.60.4.2 address of the inside and routed to the 172.16.2.x encrypted side.  What's weird is i just added this to my nonat acl and i can now ping the 172.16.2.x network. Keep in my mind that i am now substituting a Win2k3 svr box with RAS going because the other is in production.

access-list nonat line 3 permit ip 10.5.5.0 255.255.255.0 172.16.2.0 255.255.255.0

This is really weird. Does this mean that anytime you wanted to route to traffic on your DMZ network you have to have the nonat going?
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 79

Expert Comment

by:lrmoore
ID: 10791380
You either have to have the Nat set up as I showed with a global (dmz), or add the line to the nonat acl..
It depends some on how the hardware client is setup ...
0
 

Author Comment

by:rolltide_bama
ID: 10792604
Yeah, well i havent had much luck just using the global (dmz) 3 int command but its working ok with the nonat. Is there an advantage to using the global other then the real source address is hidden. Since i am going to a secure network i dont think it's going to matter to much. However, on those static statements that i have, those are translations going to network printers. The 172.16.2.x network see's the printers as 10.60.4.x IP, thats why i added those statements to translate them over to the inside, however they are not working as planned? Is that the prefered way to do that?
0
 

Author Comment

by:rolltide_bama
ID: 10792883
Well i found the answer to my own requestion regarding the static translations... i had the freakin statement in backwards.... i should have read like this.

static (inside,dmz) 10.60.4.23 10.5.5.248 netmask 255.255.255.255

i had the (dmz,inside) ..... Thats what happens when you look at this crap too long... go blind.  As for the advantage part on using the global (dmz) versus the nonat ??
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 10792892
My bad. Try using
global (dmz) 1  <-- "1" instead of "3"
Be sure to remove the line from the nonat acl so that you have either/or situation.


Unless you want to get into more conditional nat statements....

0
 

Author Comment

by:rolltide_bama
ID: 10793031
thanks that worked, i just had to reload the pix for it to clear itself up after i made the changes...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10793086
Glad to help. Next time try "clear xlate" before resorting to reboot.

- ROLL TIDE, ROLL!
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question