Solved

VPN client can not access DMZ throough pix 515e v6.2

Posted on 2004-07-30
12
1,000 Views
Last Modified: 2013-11-16
I have a vpn setup on my pix 515e.  When I connect i can access everything except my DMZ.  i am not sure as to why.  I am new to firewalls so any help would be greatly appreciated!
0
Comment
Question by:dgarza96
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11679709
Hi dgarza96,
Can you post the PIX configuration?
0
 

Author Comment

by:dgarza96
ID: 11679891
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password pRo7n/97JLagF4AP encrypted
passwd Y.aCpGu1.hNJqVTq encrypted
hostname dallas-pix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list outside permit icmp any any unreachable
access-list outside permit tcp any host ccc.ccc.ccc.250 eq citrix-ica
access-list outside permit tcp any host ccc.ccc.ccc.231 eq ftp
access-list outside permit tcp any host ccc.ccc.ccc.231 eq ssh
access-list outside permit tcp any host ccc.ccc.ccc.129 eq www
access-list outside permit tcp any host ccc.ccc.ccc.129 eq https
access-list outside permit tcp any host ccc.ccc.ccc.129 eq smtp
access-list outside permit tcp any host ccc.ccc.ccc.212 eq 3389
access-list outside permit tcp any host ccc.ccc.ccc.212 eq www
access-list outside permit tcp any host ccc.ccc.ccc.212 eq 8080
access-list outside permit tcp any host ccc.ccc.ccc.212 eq 3000
access-list outside permit tcp any host ccc.ccc.ccc.229 eq www
access-list outside permit tcp any host ccc.ccc.ccc.229 eq https
access-list outside permit tcp any host ccc.ccc.ccc.229 eq smtp
access-list outside permit udp any ccc.ccc.ccc.0 255.255.255.0 eq domain
access-list outside permit tcp any ccc.ccc.ccc.0 255.255.255.0 eq domain
access-list outside permit tcp any host ccc.ccc.ccc.129 eq 3389
access-list outside permit tcp any host ccc.ccc.ccc.229 eq 3389
access-list outside permit tcp any host ccc.ccc.ccc.231 eq pop3
access-list outside permit tcp any host ccc.ccc.ccc.231 eq www
access-list outside permit tcp any host ccc.ccc.ccc.231 eq smtp
access-list outside permit tcp any host ccc.ccc.ccc.231 eq 6000
access-list outside permit tcp any host ccc.ccc.ccc.221 eq www
access-list outside permit tcp host 24.0.193.244 host ccc.ccc.ccc.220 eq pcanywhere-data
access-list outside permit udp host 24.0.193.244 host ccc.ccc.ccc.220 eq pcanywhere-status
access-list outside permit tcp host 24.0.193.244 host ccc.ccc.ccc.221 eq pcanywhere-data
access-list outside permit udp host 24.0.193.244 host ccc.ccc.ccc.221 eq pcanywhere-status
access-list outside permit tcp host 24.0.193.244 host ccc.ccc.ccc.222 eq pcanywhere-data
access-list outside permit udp host 24.0.193.244 host ccc.ccc.ccc.222 eq pcanywhere-status
access-list outside permit tcp host 24.0.193.244 host ccc.ccc.ccc.220 eq 1433
access-list outside permit tcp 204.96.5.0 255.255.255.0 host ccc.ccc.ccc.220 eq pcanywhere-data
access-list outside permit udp 204.96.5.0 255.255.255.0 host ccc.ccc.ccc.220 eq pcanywhere-status
access-list outside permit tcp 204.96.5.0 255.255.255.0 host ccc.ccc.ccc.220 eq 1433
access-list outside permit udp 204.96.5.0 255.255.255.0 host ccc.ccc.ccc.221 eq pcanywhere-status
access-list outside permit tcp 204.96.5.0 255.255.255.0 host ccc.ccc.ccc.222 eq 1433
access-list outside permit udp 204.96.5.0 255.255.255.0 host ccc.ccc.ccc.222 eq pcanywhere-status
access-list outside permit tcp 204.96.5.0 255.255.255.0 host ccc.ccc.ccc.221 eq pcanywhere-data
access-list outside permit tcp 204.96.5.0 255.255.255.0 host ccc.ccc.ccc.222 eq pcanywhere-data
access-list outside permit tcp host 162.40.239.129 host ccc.ccc.ccc.220 eq pcanywhere-data
access-list outside permit tcp host 162.40.239.129 host ccc.ccc.ccc.221 eq pcanywhere-data
access-list outside permit tcp host 162.40.239.129 host ccc.ccc.ccc.222 eq pcanywhere-data
access-list outside permit udp host 162.40.239.129 host ccc.ccc.ccc.220 eq pcanywhere-status
access-list outside permit udp host 162.40.239.129 host ccc.ccc.ccc.221 eq pcanywhere-status
access-list outside permit udp host 162.40.239.129 host ccc.ccc.ccc.222 eq pcanywhere-status
access-list outside permit tcp host 162.40.239.129 host ccc.ccc.ccc.220 eq 1433
access-list outside permit tcp host 162.40.239.129 host ccc.ccc.ccc.222 eq 1433
access-list outside deny ip any any
access-list dmz permit tcp host bbb.bbb.bbb.11 host aaa.aaa.aaa.70
access-list dmz permit udp host bbb.bbb.bbb.11 host aaa.aaa.aaa.70
access-list dmz permit tcp host bbb.bbb.bbb.11 host aaa.aaa.aaa.80 eq netbios-ssn
access-list dmz permit tcp host bbb.bbb.bbb.13 host aaa.aaa.aaa.70 eq netbios-ssn
access-list dmz permit udp host bbb.bbb.bbb.12 host aaa.aaa.aaa.70
access-list dmz permit udp host bbb.bbb.bbb.12 host aaa.aaa.aaa.80
access-list dmz permit tcp host bbb.bbb.bbb.14 host aaa.aaa.aaa.70
access-list dmz permit udp host bbb.bbb.bbb.14 host aaa.aaa.aaa.70
access-list dmz permit tcp host bbb.bbb.bbb.24 host aaa.aaa.aaa.70
access-list dmz permit udp host bbb.bbb.bbb.24 host aaa.aaa.aaa.70
access-list dmz permit tcp host bbb.bbb.bbb.12 host aaa.aaa.aaa.78
access-list dmz permit tcp host bbb.bbb.bbb.24 host aaa.aaa.aaa.78
access-list 101 permit ip aaa.aaa.aaa.0 255.255.255.0 bbb.bbb.bbb.0 255.255.255.0
access-list 101 permit ip ddd.ddd.ddd.0 255.255.255.0 bbb.bbb.bbb.0 255.255.255.0
access-list 101 permit ip aaa.aaa.aaa.0 255.255.255.0 host 192.168.12.5
access-list 101 permit ip ddd.ddd.ddd.0 255.255.255.0 host 192.168.12.5
access-list inside permit tcp aaa.aaa.aaa.0 255.255.255.0 bbb.bbb.bbb.0 255.255.255.0
access-list inside permit tcp aaa.aaa.aaa.0 255.255.255.0 216.74.134.0 255.255.255.0
access-list inside permit tcp ddd.ddd.ddd.0 255.255.255.0 bbb.bbb.bbb.0 255.255.255.0
access-list inside permit ip any any
pager lines 24
logging on
logging buffered warnings
logging queue 2000
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 100basetx
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside ccc.ccc.ccc.252 255.255.255.128
ip address inside aaa.aaa.aaa.1 255.255.255.0
ip address dmz bbb.bbb.bbb.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.12.5
pdm history enable
arp timeout 14400
global (outside) 1 ccc.ccc.ccc.251
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) ccc.ccc.ccc.231 bbb.bbb.bbb.13 netmask 255.255.255.255 0 0
static (dmz,outside) ccc.ccc.ccc.129 bbb.bbb.bbb.14 netmask 255.255.255.255 0 0
static (dmz,outside) ccc.ccc.ccc.14 172.24.2.52 netmask 255.255.255.255 0 0
static (dmz,outside) ccc.ccc.ccc.250 bbb.bbb.bbb.11 netmask 255.255.255.255 0 0
static (dmz,outside) ccc.ccc.ccc.212 bbb.bbb.bbb.12 netmask 255.255.255.255 0 0
static (dmz,outside) ccc.ccc.ccc.229 bbb.bbb.bbb.24 netmask 255.255.255.255 0 0
static (dmz,outside) ccc.ccc.ccc.220 bbb.bbb.bbb.220 netmask 255.255.255.255 0 0
static (dmz,outside) ccc.ccc.ccc.221 bbb.bbb.bbb.221 netmask 255.255.255.255 0 0
static (dmz,outside) ccc.ccc.ccc.222 bbb.bbb.bbb.222 netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 ccc.ccc.ccc.253 1
route dmz 172.24.0.0 255.255.0.0 bbb.bbb.bbb.1 1
route inside ddd.ddd.ddd.0 255.255.255.0 aaa.aaa.aaa.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host aaa.aaa.aaa.70 XXXXXX timeout 5
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server aaa.aaa.aaa.70
vpngroup vpn3000 wins-server aaa.aaa.aaa.70
vpngroup vpn3000 default-domain XXXXXXX.com
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
0
 
LVL 36

Expert Comment

by:grblades
ID: 11680048
I would suggest that you configure a split-tunnel so that all traffic for your internal network goes over the VPN but connections to the public IP address of the machines in the DMZ don't go over the VPN. This will save you having two configurations (one for accessing directly and one for over the VPN).
0
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

 

Author Comment

by:dgarza96
ID: 11680721
can you suggest how to do this?  I really appreciate it.

Thanks,

Danny
0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 11681333
Try adding this to the configuration :-

access-list splitTunnelAcl permit ip aaa.aaa.aaa.0 255.255.255.0 any
access-list splitTunnelAcl permit ip ddd.ddd.ddd.0 255.255.255.0 any
vpngroup vpn3000 split-tunnel splitTunnelAcl


P.S did you know that with your Radius server you can use it to issue ACL's to each individual users VPN sessions so you can control what each user can access on the internal network.
Have a look at my webpage for more information if you are interested :-
http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
0
 

Author Comment

by:dgarza96
ID: 11714778
Thanks for the suggestions.  I enabled the split-tunnel and now can access the internet while connected to the vpn, however I can not access my mail server which is located on the DMZ.  I can send you the config if you want without all of the confusing a's and b's for IP addresses.

Thanks for all of your help
0
 
LVL 36

Expert Comment

by:grblades
ID: 11715611
How are you trying to access the mail server?
You should be accessing it via the external IP address.

Feel free to post your configuration and I will have a look.
0
 

Author Comment

by:dgarza96
ID: 11715699
When I am at my office my dns server resolves my mail server to 192.168.x.x.  When I am out of the office then it resolves to my external public address.  When I connect via vpn my dns is trying to access it via the 192.168.x.x address.  How can I get around this?

Thanks for your quick response!
0
 
LVL 36

Expert Comment

by:grblades
ID: 11716132
I run a Linux DNS server and I got around it by configuring 'views' in the BIND configuration so that it issues different results depending which machine is requesting the information.

In named.conf I have something like :-

view "internal" {
               // This should match our internal networks.
      match-clients { 10.0.0.0/8; 127.0.0.0/8; };
        zone "." {
                type hint;
                file "root.hints";
        };
        zone "mydomain.com" {
                type master;
                file "mydomain-internal.zone";
        };
        zone "0.10.in-addr.arpa" in {
                type master;
                file "10.0.zone";
        };
};

view "external" {
               // This should match other networks (vpn)
      match-clients { any; };
        zone "." {
                type hint;
                file "root.hints";
        };
        zone "mydomain.com" {
                type master;
                file "mydomain-vpn.zone";
        };
        zone "0.10.in-addr.arpa" in {
                type master;
                file "10.0.zone";
        };
};
0
 

Author Comment

by:dgarza96
ID: 11716216
What about using MS DNS?
0
 
LVL 36

Expert Comment

by:grblades
ID: 11718001
I haven't used MS DNS for over 4 years so cannot really help. If it does not support this feature then you might have to setup a second DNS server for use by the VPN users only.
0
 

Author Comment

by:dgarza96
ID: 11726023
I have installed a second DNS server dedicated to the VPN clients.  I tried it out last night and everything worked great.

Thanks for your help grblades.  I am awarding you all points!

Danny
0

Featured Post

Webinar June 1st - Attacking Ransomware  

The global cyberattack that corrupted hundreds of thousands of computer systems on May 12th had a face, name, & price tag that we’ve seen all too often in recent years: Ransomware. With the stakes – and costs – of a ransomware attack higher than ever, is your business prepared ?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Voice VLANs across Metro-E 4 52
Blocking outside IP Addresses 16 130
Cisco Nexus 5 61
How to pinpoint the source traffic flooding LAN intermittently? 6 30
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question