Solved

DMZ Access over VPN

Posted on 2004-08-30
9
398 Views
Last Modified: 2013-11-16
Here is the problem.

We have our DMZ on our Second Pix Firewall group.  We have a VPN that connects our 2 facilities using Cisco VPN Concentrators.  We can not get the VPN Traffic to route to the DMZ of the firewall.  Any ideas where the routing needs to be set up?  When doing a tracert we start loosing packets at the vpn.  When doing a tracert to the internat IP of the firewall, if makes it through?
0
Comment
Question by:thepilo
  • 4
  • 4
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11935896
How is your VPN concentrator set up, with independent Internet access, or behind the PIX FW?

Internet
   |        |
 VPN    PIX - DMZ
   |____|
       |
     LAN

Does the VPN concentrator have a static route to the DMZ subnet pointing to the PIX?
Have you thought about enabling OSPF between the VPN 3000 and the PIX?

0
 
LVL 1

Author Comment

by:thepilo
ID: 11935950
The VPN is behind another PIX firewall that get's it to the out side.

Here is the setup

Our Side
T1-1    T1-2
 |           |
PIX        PIX ---DMZ
 |          |
 VPN      |
 |           |
 Switch--|

Remote Side

 T1
  |
 Pix
  |
 VPN
  |
Users
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11936048
The VPN 3000 on Your side should have a static route for the DMZ subnet pointing to the #2 PIX
PIX #2 with the DMZ should have a route statement for the remote side subnet pointing to the VPN..

Do you have networks defined that includes the DMZ subnet for inclusion inside the VPN tunnel?
Does the VPN concentrator on the remote side include the local-to-DMZ subnet traffic in the tunnel definitions?
Does the VPN concentrator at your end include the DMZ subnet-to-remote subnet traffic in the tunnel definitions?
0
 
LVL 1

Author Comment

by:thepilo
ID: 11936436
The VPN on our side has the followring route

192.168.14.0/255.255.255.0(IP subnet of DMZ) ->10.1.100.9 (Internal IP of PIX2)

The VPN Tunnel has it's own DMZ setup 192.168.11.0 for here, and 192.168.21.0 for remote site



0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 11936585
The remote VPN concentrator must have the DMZ subnet in it's tunnel config:
i.e. traffic from 192.168.21.0 to 192.168.14.0 must be defined in the remote concentrator for the tunnel

Conversely, the VPN concentrator at your end needs to have the traffic from 192.168.14.0 to 192.168.21.0 defined as tunnel traffic.

And, the PIX2 must have a static route for 192.168.21.0 pointing to the VPN internal IP 10.1.100.x

0
 
LVL 1

Author Comment

by:thepilo
ID: 11941201
We have set 192.168.14.0 in network lists under policy management.  We have a route on the local vpn for 192.168.14.0 -> 10.1.100.9  

The web server has a static route for 10.2.100.0 to the 192.168.14.1 firewall.  The switch has a route from all traffic on 10.1.100.0 to go to the local VPN 10.1.100.15

Not sure what I am missing....
0
 

Expert Comment

by:jaysonjennings
ID: 11949263
Perform a debug packet inside on PIX2 for traffic destined towards the DMZ from the source of the remote network.  Thus get you some visibility;
If you have version 4 of the VPN conc code, you can perform a traceroute to determine the VPN knows the location of the DMZ.  As lrmoore indicates, OSPF would be a nice solution.
0
 
LVL 1

Author Comment

by:thepilo
ID: 11968612
We have goe the solution.  There was no static allowing traffic from the DMZ back to the 10.2.x.x network.  We have added that, and are good to go for that network.  We have one last issue of adding the 192.168.14.0/24 network to a 506E firewall/VPN   And idea on how to set the network list like you can in the concentrator under policy management?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11968788
You add it to the access-list called out in the "match access-list xxxx" under the crytpo map
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now