Solved

VPN client can not access DMZ throough pix 515e v6.2

Posted on 2004-07-30
12
991 Views
Last Modified: 2013-11-16
I have a vpn setup on my pix 515e.  When I connect i can access everything except my DMZ.  i am not sure as to why.  I am new to firewalls so any help would be greatly appreciated!
0
Comment
Question by:dgarza96
  • 6
  • 6
12 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11679709
Hi dgarza96,
Can you post the PIX configuration?
0
 

Author Comment

by:dgarza96
ID: 11679891
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password pRo7n/97JLagF4AP encrypted
passwd Y.aCpGu1.hNJqVTq encrypted
hostname dallas-pix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list outside permit icmp any any unreachable
access-list outside permit tcp any host ccc.ccc.ccc.250 eq citrix-ica
access-list outside permit tcp any host ccc.ccc.ccc.231 eq ftp
access-list outside permit tcp any host ccc.ccc.ccc.231 eq ssh
access-list outside permit tcp any host ccc.ccc.ccc.129 eq www
access-list outside permit tcp any host ccc.ccc.ccc.129 eq https
access-list outside permit tcp any host ccc.ccc.ccc.129 eq smtp
access-list outside permit tcp any host ccc.ccc.ccc.212 eq 3389
access-list outside permit tcp any host ccc.ccc.ccc.212 eq www
access-list outside permit tcp any host ccc.ccc.ccc.212 eq 8080
access-list outside permit tcp any host ccc.ccc.ccc.212 eq 3000
access-list outside permit tcp any host ccc.ccc.ccc.229 eq www
access-list outside permit tcp any host ccc.ccc.ccc.229 eq https
access-list outside permit tcp any host ccc.ccc.ccc.229 eq smtp
access-list outside permit udp any ccc.ccc.ccc.0 255.255.255.0 eq domain
access-list outside permit tcp any ccc.ccc.ccc.0 255.255.255.0 eq domain
access-list outside permit tcp any host ccc.ccc.ccc.129 eq 3389
access-list outside permit tcp any host ccc.ccc.ccc.229 eq 3389
access-list outside permit tcp any host ccc.ccc.ccc.231 eq pop3
access-list outside permit tcp any host ccc.ccc.ccc.231 eq www
access-list outside permit tcp any host ccc.ccc.ccc.231 eq smtp
access-list outside permit tcp any host ccc.ccc.ccc.231 eq 6000
access-list outside permit tcp any host ccc.ccc.ccc.221 eq www
access-list outside permit tcp host 24.0.193.244 host ccc.ccc.ccc.220 eq pcanywhere-data
access-list outside permit udp host 24.0.193.244 host ccc.ccc.ccc.220 eq pcanywhere-status
access-list outside permit tcp host 24.0.193.244 host ccc.ccc.ccc.221 eq pcanywhere-data
access-list outside permit udp host 24.0.193.244 host ccc.ccc.ccc.221 eq pcanywhere-status
access-list outside permit tcp host 24.0.193.244 host ccc.ccc.ccc.222 eq pcanywhere-data
access-list outside permit udp host 24.0.193.244 host ccc.ccc.ccc.222 eq pcanywhere-status
access-list outside permit tcp host 24.0.193.244 host ccc.ccc.ccc.220 eq 1433
access-list outside permit tcp 204.96.5.0 255.255.255.0 host ccc.ccc.ccc.220 eq pcanywhere-data
access-list outside permit udp 204.96.5.0 255.255.255.0 host ccc.ccc.ccc.220 eq pcanywhere-status
access-list outside permit tcp 204.96.5.0 255.255.255.0 host ccc.ccc.ccc.220 eq 1433
access-list outside permit udp 204.96.5.0 255.255.255.0 host ccc.ccc.ccc.221 eq pcanywhere-status
access-list outside permit tcp 204.96.5.0 255.255.255.0 host ccc.ccc.ccc.222 eq 1433
access-list outside permit udp 204.96.5.0 255.255.255.0 host ccc.ccc.ccc.222 eq pcanywhere-status
access-list outside permit tcp 204.96.5.0 255.255.255.0 host ccc.ccc.ccc.221 eq pcanywhere-data
access-list outside permit tcp 204.96.5.0 255.255.255.0 host ccc.ccc.ccc.222 eq pcanywhere-data
access-list outside permit tcp host 162.40.239.129 host ccc.ccc.ccc.220 eq pcanywhere-data
access-list outside permit tcp host 162.40.239.129 host ccc.ccc.ccc.221 eq pcanywhere-data
access-list outside permit tcp host 162.40.239.129 host ccc.ccc.ccc.222 eq pcanywhere-data
access-list outside permit udp host 162.40.239.129 host ccc.ccc.ccc.220 eq pcanywhere-status
access-list outside permit udp host 162.40.239.129 host ccc.ccc.ccc.221 eq pcanywhere-status
access-list outside permit udp host 162.40.239.129 host ccc.ccc.ccc.222 eq pcanywhere-status
access-list outside permit tcp host 162.40.239.129 host ccc.ccc.ccc.220 eq 1433
access-list outside permit tcp host 162.40.239.129 host ccc.ccc.ccc.222 eq 1433
access-list outside deny ip any any
access-list dmz permit tcp host bbb.bbb.bbb.11 host aaa.aaa.aaa.70
access-list dmz permit udp host bbb.bbb.bbb.11 host aaa.aaa.aaa.70
access-list dmz permit tcp host bbb.bbb.bbb.11 host aaa.aaa.aaa.80 eq netbios-ssn
access-list dmz permit tcp host bbb.bbb.bbb.13 host aaa.aaa.aaa.70 eq netbios-ssn
access-list dmz permit udp host bbb.bbb.bbb.12 host aaa.aaa.aaa.70
access-list dmz permit udp host bbb.bbb.bbb.12 host aaa.aaa.aaa.80
access-list dmz permit tcp host bbb.bbb.bbb.14 host aaa.aaa.aaa.70
access-list dmz permit udp host bbb.bbb.bbb.14 host aaa.aaa.aaa.70
access-list dmz permit tcp host bbb.bbb.bbb.24 host aaa.aaa.aaa.70
access-list dmz permit udp host bbb.bbb.bbb.24 host aaa.aaa.aaa.70
access-list dmz permit tcp host bbb.bbb.bbb.12 host aaa.aaa.aaa.78
access-list dmz permit tcp host bbb.bbb.bbb.24 host aaa.aaa.aaa.78
access-list 101 permit ip aaa.aaa.aaa.0 255.255.255.0 bbb.bbb.bbb.0 255.255.255.0
access-list 101 permit ip ddd.ddd.ddd.0 255.255.255.0 bbb.bbb.bbb.0 255.255.255.0
access-list 101 permit ip aaa.aaa.aaa.0 255.255.255.0 host 192.168.12.5
access-list 101 permit ip ddd.ddd.ddd.0 255.255.255.0 host 192.168.12.5
access-list inside permit tcp aaa.aaa.aaa.0 255.255.255.0 bbb.bbb.bbb.0 255.255.255.0
access-list inside permit tcp aaa.aaa.aaa.0 255.255.255.0 216.74.134.0 255.255.255.0
access-list inside permit tcp ddd.ddd.ddd.0 255.255.255.0 bbb.bbb.bbb.0 255.255.255.0
access-list inside permit ip any any
pager lines 24
logging on
logging buffered warnings
logging queue 2000
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 100basetx
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside ccc.ccc.ccc.252 255.255.255.128
ip address inside aaa.aaa.aaa.1 255.255.255.0
ip address dmz bbb.bbb.bbb.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.12.5
pdm history enable
arp timeout 14400
global (outside) 1 ccc.ccc.ccc.251
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) ccc.ccc.ccc.231 bbb.bbb.bbb.13 netmask 255.255.255.255 0 0
static (dmz,outside) ccc.ccc.ccc.129 bbb.bbb.bbb.14 netmask 255.255.255.255 0 0
static (dmz,outside) ccc.ccc.ccc.14 172.24.2.52 netmask 255.255.255.255 0 0
static (dmz,outside) ccc.ccc.ccc.250 bbb.bbb.bbb.11 netmask 255.255.255.255 0 0
static (dmz,outside) ccc.ccc.ccc.212 bbb.bbb.bbb.12 netmask 255.255.255.255 0 0
static (dmz,outside) ccc.ccc.ccc.229 bbb.bbb.bbb.24 netmask 255.255.255.255 0 0
static (dmz,outside) ccc.ccc.ccc.220 bbb.bbb.bbb.220 netmask 255.255.255.255 0 0
static (dmz,outside) ccc.ccc.ccc.221 bbb.bbb.bbb.221 netmask 255.255.255.255 0 0
static (dmz,outside) ccc.ccc.ccc.222 bbb.bbb.bbb.222 netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 ccc.ccc.ccc.253 1
route dmz 172.24.0.0 255.255.0.0 bbb.bbb.bbb.1 1
route inside ddd.ddd.ddd.0 255.255.255.0 aaa.aaa.aaa.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host aaa.aaa.aaa.70 XXXXXX timeout 5
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server aaa.aaa.aaa.70
vpngroup vpn3000 wins-server aaa.aaa.aaa.70
vpngroup vpn3000 default-domain XXXXXXX.com
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
0
 
LVL 36

Expert Comment

by:grblades
ID: 11680048
I would suggest that you configure a split-tunnel so that all traffic for your internal network goes over the VPN but connections to the public IP address of the machines in the DMZ don't go over the VPN. This will save you having two configurations (one for accessing directly and one for over the VPN).
0
 

Author Comment

by:dgarza96
ID: 11680721
can you suggest how to do this?  I really appreciate it.

Thanks,

Danny
0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 11681333
Try adding this to the configuration :-

access-list splitTunnelAcl permit ip aaa.aaa.aaa.0 255.255.255.0 any
access-list splitTunnelAcl permit ip ddd.ddd.ddd.0 255.255.255.0 any
vpngroup vpn3000 split-tunnel splitTunnelAcl


P.S did you know that with your Radius server you can use it to issue ACL's to each individual users VPN sessions so you can control what each user can access on the internal network.
Have a look at my webpage for more information if you are interested :-
http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
0
 

Author Comment

by:dgarza96
ID: 11714778
Thanks for the suggestions.  I enabled the split-tunnel and now can access the internet while connected to the vpn, however I can not access my mail server which is located on the DMZ.  I can send you the config if you want without all of the confusing a's and b's for IP addresses.

Thanks for all of your help
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 36

Expert Comment

by:grblades
ID: 11715611
How are you trying to access the mail server?
You should be accessing it via the external IP address.

Feel free to post your configuration and I will have a look.
0
 

Author Comment

by:dgarza96
ID: 11715699
When I am at my office my dns server resolves my mail server to 192.168.x.x.  When I am out of the office then it resolves to my external public address.  When I connect via vpn my dns is trying to access it via the 192.168.x.x address.  How can I get around this?

Thanks for your quick response!
0
 
LVL 36

Expert Comment

by:grblades
ID: 11716132
I run a Linux DNS server and I got around it by configuring 'views' in the BIND configuration so that it issues different results depending which machine is requesting the information.

In named.conf I have something like :-

view "internal" {
               // This should match our internal networks.
      match-clients { 10.0.0.0/8; 127.0.0.0/8; };
        zone "." {
                type hint;
                file "root.hints";
        };
        zone "mydomain.com" {
                type master;
                file "mydomain-internal.zone";
        };
        zone "0.10.in-addr.arpa" in {
                type master;
                file "10.0.zone";
        };
};

view "external" {
               // This should match other networks (vpn)
      match-clients { any; };
        zone "." {
                type hint;
                file "root.hints";
        };
        zone "mydomain.com" {
                type master;
                file "mydomain-vpn.zone";
        };
        zone "0.10.in-addr.arpa" in {
                type master;
                file "10.0.zone";
        };
};
0
 

Author Comment

by:dgarza96
ID: 11716216
What about using MS DNS?
0
 
LVL 36

Expert Comment

by:grblades
ID: 11718001
I haven't used MS DNS for over 4 years so cannot really help. If it does not support this feature then you might have to setup a second DNS server for use by the VPN users only.
0
 

Author Comment

by:dgarza96
ID: 11726023
I have installed a second DNS server dedicated to the VPN clients.  I tried it out last night and everything worked great.

Thanks for your help grblades.  I am awarding you all points!

Danny
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now