jss1199
asked on
PIX 515 Configuration
We are using a PIX 515 and I would like to configure it to allow VPN users access to the DMZ servers (204.253.206.xxx) - they currently have access to inside and outside. Could someone help with this? Related Config is below.
I would also like to configure inside users to RDP into VPN users. Is this possible?
access-list outside_dmz deny tcp any any eq 445
access-list outside_dmz permit tcp any host xx.xxx.xxx.210 eq smtp
access-list outside_dmz permit tcp any host xx.xxx.xxx.210 eq pop3
access-list outside_dmz permit tcp any host xx.xxx.xxx.210 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.211 eq smtp
access-list outside_dmz permit tcp any host xx.xxx.xxx.211 eq pop3
access-list outside_dmz permit tcp any host xx.xxx.xxx.211 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.195 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.196 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.197 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.198 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.199 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.200 eq www
access-list outside_dmz permit tcp any host 204.253.206.16 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.253 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.203 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.204 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.205 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.206 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.207 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.216 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.210 eq 6129
access-list outside_dmz permit tcp any host xx.xxx.xxx.195 eq 6129
access-list outside_dmz permit tcp any host xx.xxx.xxx.253 eq 6129
access-list outside_dmz permit udp any any eq domain
access-list outside_dmz permit tcp any host xx.xxx.xxx.222 eq 3389
access-list dmz_access_in permit udp any any
access-list dmz_access_in permit tcp any any
access-list dmz_access_in permit icmp any any
access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.22
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.192 255.255.255.22
access-list outside_cryptomap_dyn_40 permit ip any 192.168.1.192 255.255.255.22
access-list split permit ip 192.168.1.0 255.255.255.0 any
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside-out deny tcp any any eq 445
access-list inside-out permit ip any any
global (outside) 10 xx.xxx.xxx.221
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
alias (inside) xx.xxx.xxx.196 204.253.206.11 255.255.255.255
alias (inside) xx.xxx.xxx.197 204.253.206.12 255.255.255.255
alias (inside) xx.xxx.xxx.198 204.253.206.13 255.255.255.255
alias (inside) xx.xxx.xxx.199 204.253.206.14 255.255.255.255
alias (inside) xx.xxx.xxx.200 204.253.206.15 255.255.255.255
alias (inside) xx.xxx.xxx.215 204.253.206.16 255.255.255.255
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) xx.xxx.xxx.210 204.253.206.30 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.211 204.253.206.31 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.195 204.253.206.10 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.196 204.253.206.11 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.197 204.253.206.12 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.198 204.253.206.13 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.199 204.253.206.14 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.200 204.253.206.15 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.215 204.253.206.16 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.202 204.253.206.20 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.203 204.253.206.21 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.204 204.253.206.22 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.205 204.253.206.23 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.206 204.253.206.24 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.207 204.253.206.25 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.216 204.253.206.26 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.222 204.253.206.50 netmask 255.255.255.255 0 0
access-group outside_dmz in interface outside
access-group inside-out in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.193 1
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication xxx
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup SRI address-pool xxx
vpngroup SRI dns-server 192.168.1.4 192.168.1.5
vpngroup SRI default-domain xxx.com
vpngroup SRI split-tunnel split
vpngroup SRI idle-time 1800
vpngroup SRI password ********
I would also like to configure inside users to RDP into VPN users. Is this possible?
access-list outside_dmz deny tcp any any eq 445
access-list outside_dmz permit tcp any host xx.xxx.xxx.210 eq smtp
access-list outside_dmz permit tcp any host xx.xxx.xxx.210 eq pop3
access-list outside_dmz permit tcp any host xx.xxx.xxx.210 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.211 eq smtp
access-list outside_dmz permit tcp any host xx.xxx.xxx.211 eq pop3
access-list outside_dmz permit tcp any host xx.xxx.xxx.211 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.195 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.196 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.197 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.198 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.199 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.200 eq www
access-list outside_dmz permit tcp any host 204.253.206.16 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.253 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.203 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.204 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.205 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.206 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.207 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.216 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.210 eq 6129
access-list outside_dmz permit tcp any host xx.xxx.xxx.195 eq 6129
access-list outside_dmz permit tcp any host xx.xxx.xxx.253 eq 6129
access-list outside_dmz permit udp any any eq domain
access-list outside_dmz permit tcp any host xx.xxx.xxx.222 eq 3389
access-list dmz_access_in permit udp any any
access-list dmz_access_in permit tcp any any
access-list dmz_access_in permit icmp any any
access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.22
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.192 255.255.255.22
access-list outside_cryptomap_dyn_40 permit ip any 192.168.1.192 255.255.255.22
access-list split permit ip 192.168.1.0 255.255.255.0 any
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside-out deny tcp any any eq 445
access-list inside-out permit ip any any
global (outside) 10 xx.xxx.xxx.221
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
alias (inside) xx.xxx.xxx.196 204.253.206.11 255.255.255.255
alias (inside) xx.xxx.xxx.197 204.253.206.12 255.255.255.255
alias (inside) xx.xxx.xxx.198 204.253.206.13 255.255.255.255
alias (inside) xx.xxx.xxx.199 204.253.206.14 255.255.255.255
alias (inside) xx.xxx.xxx.200 204.253.206.15 255.255.255.255
alias (inside) xx.xxx.xxx.215 204.253.206.16 255.255.255.255
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) xx.xxx.xxx.210 204.253.206.30 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.211 204.253.206.31 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.195 204.253.206.10 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.196 204.253.206.11 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.197 204.253.206.12 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.198 204.253.206.13 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.199 204.253.206.14 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.200 204.253.206.15 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.215 204.253.206.16 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.202 204.253.206.20 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.203 204.253.206.21 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.204 204.253.206.22 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.205 204.253.206.23 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.206 204.253.206.24 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.207 204.253.206.25 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.216 204.253.206.26 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.222 204.253.206.50 netmask 255.255.255.255 0 0
access-group outside_dmz in interface outside
access-group inside-out in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.193 1
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication xxx
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup SRI address-pool xxx
vpngroup SRI dns-server 192.168.1.4 192.168.1.5
vpngroup SRI default-domain xxx.com
vpngroup SRI split-tunnel split
vpngroup SRI idle-time 1800
vpngroup SRI password ********
ASKER
The VPN pool is:
ip local pool xxx_VPN 192.168.1.201-192.168.1.21
The inside LAN is also 192.168.1.x
I'll try adding the nat statement
ip local pool xxx_VPN 192.168.1.201-192.168.1.21
The inside LAN is also 192.168.1.x
I'll try adding the nat statement
ASKER
lrmoore - After adding the nat (dmz) 0 access-list nonat and connecting to the VPN, I still cannot access DMZ servers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are you still working on this? Do you need more information?
Can you close out this question?
Can you close out this question?
nat (dmz) 0 access-list nonat
Assuming that this is your VPN address pool:
192.168.1.192 255.255.255.22 <-- missing something at the end?
What is your inside LAN subnet? Same 192.168.1.x ?