PIX 515 Configuration

We are using a PIX 515 and I would like to configure it to allow VPN users access to the DMZ servers (204.253.206.xxx) - they currently have access to inside and outside.  Could someone help with this?  Related Config is below.

I would also like to configure inside users to RDP into VPN users.  Is this possible?

access-list outside_dmz deny tcp any any eq 445
access-list outside_dmz permit tcp any host xx.xxx.xxx.210 eq smtp
access-list outside_dmz permit tcp any host xx.xxx.xxx.210 eq pop3
access-list outside_dmz permit tcp any host xx.xxx.xxx.210 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.211 eq smtp
access-list outside_dmz permit tcp any host xx.xxx.xxx.211 eq pop3
access-list outside_dmz permit tcp any host xx.xxx.xxx.211 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.195 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.196 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.197 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.198 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.199 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.200 eq www
access-list outside_dmz permit tcp any host 204.253.206.16 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.253 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.203 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.204 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.205 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.206 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.207 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.216 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.210 eq 6129
access-list outside_dmz permit tcp any host xx.xxx.xxx.195 eq 6129
access-list outside_dmz permit tcp any host xx.xxx.xxx.253 eq 6129
access-list outside_dmz permit udp any any eq domain
access-list outside_dmz permit tcp any host xx.xxx.xxx.222 eq 3389
access-list dmz_access_in permit udp any any
access-list dmz_access_in permit tcp any any
access-list dmz_access_in permit icmp any any
access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.22

access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.192 255.255.255.22

access-list outside_cryptomap_dyn_40 permit ip any 192.168.1.192 255.255.255.22

access-list split permit ip 192.168.1.0 255.255.255.0 any
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside-out deny tcp any any eq 445
access-list inside-out permit ip any any

global (outside) 10 xx.xxx.xxx.221
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
alias (inside) xx.xxx.xxx.196 204.253.206.11 255.255.255.255
alias (inside) xx.xxx.xxx.197 204.253.206.12 255.255.255.255
alias (inside) xx.xxx.xxx.198 204.253.206.13 255.255.255.255
alias (inside) xx.xxx.xxx.199 204.253.206.14 255.255.255.255
alias (inside) xx.xxx.xxx.200 204.253.206.15 255.255.255.255
alias (inside) xx.xxx.xxx.215 204.253.206.16 255.255.255.255
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) xx.xxx.xxx.210 204.253.206.30 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.211 204.253.206.31 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.195 204.253.206.10 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.196 204.253.206.11 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.197 204.253.206.12 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.198 204.253.206.13 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.199 204.253.206.14 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.200 204.253.206.15 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.215 204.253.206.16 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.202 204.253.206.20 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.203 204.253.206.21 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.204 204.253.206.22 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.205 204.253.206.23 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.206 204.253.206.24 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.207 204.253.206.25 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.216 204.253.206.26 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.222 204.253.206.50 netmask 255.255.255.255 0 0
access-group outside_dmz in interface outside
access-group inside-out in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.193 1
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication xxx
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup SRI address-pool xxx
vpngroup SRI dns-server 192.168.1.4 192.168.1.5
vpngroup SRI default-domain xxx.com
vpngroup SRI split-tunnel split
vpngroup SRI idle-time 1800
vpngroup SRI password ********
LVL 19
jss1199Asked:
Who is Participating?
 
lrmooreCommented:
I think  you may have to change your VPN address pool to be something other than the internal LAN.

If you have it something like 192.168.2.x, then your nat0 access-lists makes more sense:

access-list nonat1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat2 permit ip 204.253.206.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list nonat1
nat (dmz) 0 access-list nonat2

Also suggest that you remove this access list from the DMZ interface, since you are permitting everything anyway:
access-list dmz_access_in permit udp any any
access-list dmz_access_in permit tcp any any
access-list dmz_access_in permit icmp any any
no access-group dmz_access_in in interface dmz
^^

0
 
lrmooreCommented:
Try adding:
nat (dmz) 0 access-list nonat

Assuming that this is your VPN address pool:
192.168.1.192 255.255.255.22  <-- missing something at the end?

What is your inside LAN subnet? Same 192.168.1.x ?



0
 
jss1199Author Commented:
The VPN pool is:
ip local pool xxx_VPN 192.168.1.201-192.168.1.210

The inside LAN is also 192.168.1.x

I'll try adding the nat statement
0
 
jss1199Author Commented:
lrmoore - After adding the nat (dmz) 0 access-list nonat and connecting to the VPN, I still cannot access DMZ servers.
0
 
lrmooreCommented:
Are you still working on this? Do you need more information?
Can you close out this question?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.