• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 399
  • Last Modified:

DMZ Routing traffic to VPN Hardware Client

I have a Cisco Pix 515e. i thought i had this problem whipped when i was able to get my internal hosts to access my websvr in the dmz. However, i also have a hardware vpn client hanging off the dmz.  

Remote                        Public IP for                Private IP                       PIX                             PIX
Site                            Hardware Client          Hardware Client             DMZ Inside                   Inside
172.16.2.x----------------20x.xxx.xxx.xx3 <----><---------------><----------->

I added a route statement as follows   route dmz 1

I can ping the remote site ok from the pix, but i cannot ping it from the inside.  I can ping a server in my dmz and access it so i know communications to the 10.60.4.x network is ok.  

I have this for my DMZ access-list.   The reason for the static is that the server located on the 172.16.2.x network see's our network printers as a 10.60.4.x IP, so i have all those IP's being translated to the appropriate IP on the inside.

access-list acl_dmz_in; 17 elements
access-list acl_dmz_in line 1 permit ip (hitcnt=0)
access-list acl_dmz_in line 2 permit ip (hitcnt=0)
access-list acl_dmz_in line 3 permit icmp any any echo-reply (hitcnt=12)
access-list acl_dmz_in line 4 permit icmp any any (hitcnt=170)
access-list acl_dmz_in line 5 permit ip host host (hitcnt=25)
access-list acl_dmz_in line 6 permit ip host host (hitcnt=0)
access-list acl_dmz_in line 7 permit ip host host (hitcnt=0)
access-list acl_dmz_in line 8 permit ip host host (hitcnt=0)
access-list acl_dmz_in line 9 permit ip host host (hitcnt=0)
access-list acl_dmz_in line 10 permit ip host host (hitcnt=0)
access-list acl_dmz_in line 11 permit ip host host (hitcnt=0)
access-list acl_dmz_in line 12 permit ip host host (hitcnt=0)
access-list acl_dmz_in line 13 permit ip host host (hitcnt=0)
access-list acl_dmz_in line 14 permit ip host host (hitcnt=0)
access-list acl_dmz_in line 15 permit ip host host (hitcnt=0)
access-list acl_dmz_in line 16 permit ip host host (hitcnt=0)
access-list acl_dmz_in line 17 permit ip host host (hitcnt=0)

Here are my global's

global (outside) 1 2xx.xx.xx.30 netmask
global (outside) 2 2xx.xx.xx.29 netmask

Here are my NAT statements

nat (inside) 0 access-list nonat
nat (inside) 1 0 0
nat (dmz) 2 0 0
  • 5
  • 4
1 Solution
rolltide_bamaAuthor Commented:
I forgot to add it's just not an icmp problem, i cannot telnet to that ip either....
Sounds more like a routing issue. Does the hardware client know about the network?
Perhaps you can nat traffic to the to that it appears as though it is from the subnet:

global(dmz) 3 interface

remove any nonat access-list lines that include the network

rolltide_bamaAuthor Commented:
The hardware client knows about the 10.60.4.x network because that's its inside.  The Pix should be able to hit the address of the inside and routed to the 172.16.2.x encrypted side.  What's weird is i just added this to my nonat acl and i can now ping the 172.16.2.x network. Keep in my mind that i am now substituting a Win2k3 svr box with RAS going because the other is in production.

access-list nonat line 3 permit ip

This is really weird. Does this mean that anytime you wanted to route to traffic on your DMZ network you have to have the nonat going?
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

You either have to have the Nat set up as I showed with a global (dmz), or add the line to the nonat acl..
It depends some on how the hardware client is setup ...
rolltide_bamaAuthor Commented:
Yeah, well i havent had much luck just using the global (dmz) 3 int command but its working ok with the nonat. Is there an advantage to using the global other then the real source address is hidden. Since i am going to a secure network i dont think it's going to matter to much. However, on those static statements that i have, those are translations going to network printers. The 172.16.2.x network see's the printers as 10.60.4.x IP, thats why i added those statements to translate them over to the inside, however they are not working as planned? Is that the prefered way to do that?
rolltide_bamaAuthor Commented:
Well i found the answer to my own requestion regarding the static translations... i had the freakin statement in backwards.... i should have read like this.

static (inside,dmz) netmask

i had the (dmz,inside) ..... Thats what happens when you look at this crap too long... go blind.  As for the advantage part on using the global (dmz) versus the nonat ??
My bad. Try using
global (dmz) 1  <-- "1" instead of "3"
Be sure to remove the line from the nonat acl so that you have either/or situation.

Unless you want to get into more conditional nat statements....

rolltide_bamaAuthor Commented:
thanks that worked, i just had to reload the pix for it to clear itself up after i made the changes...
Glad to help. Next time try "clear xlate" before resorting to reboot.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now