Solved

DMZ Access over VPN

Posted on 2004-08-30
9
405 Views
Last Modified: 2013-11-16
Here is the problem.

We have our DMZ on our Second Pix Firewall group.  We have a VPN that connects our 2 facilities using Cisco VPN Concentrators.  We can not get the VPN Traffic to route to the DMZ of the firewall.  Any ideas where the routing needs to be set up?  When doing a tracert we start loosing packets at the vpn.  When doing a tracert to the internat IP of the firewall, if makes it through?
0
Comment
Question by:thepilo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11935896
How is your VPN concentrator set up, with independent Internet access, or behind the PIX FW?

Internet
   |        |
 VPN    PIX - DMZ
   |____|
       |
     LAN

Does the VPN concentrator have a static route to the DMZ subnet pointing to the PIX?
Have you thought about enabling OSPF between the VPN 3000 and the PIX?

0
 
LVL 1

Author Comment

by:thepilo
ID: 11935950
The VPN is behind another PIX firewall that get's it to the out side.

Here is the setup

Our Side
T1-1    T1-2
 |           |
PIX        PIX ---DMZ
 |          |
 VPN      |
 |           |
 Switch--|

Remote Side

 T1
  |
 Pix
  |
 VPN
  |
Users
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11936048
The VPN 3000 on Your side should have a static route for the DMZ subnet pointing to the #2 PIX
PIX #2 with the DMZ should have a route statement for the remote side subnet pointing to the VPN..

Do you have networks defined that includes the DMZ subnet for inclusion inside the VPN tunnel?
Does the VPN concentrator on the remote side include the local-to-DMZ subnet traffic in the tunnel definitions?
Does the VPN concentrator at your end include the DMZ subnet-to-remote subnet traffic in the tunnel definitions?
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Author Comment

by:thepilo
ID: 11936436
The VPN on our side has the followring route

192.168.14.0/255.255.255.0(IP subnet of DMZ) ->10.1.100.9 (Internal IP of PIX2)

The VPN Tunnel has it's own DMZ setup 192.168.11.0 for here, and 192.168.21.0 for remote site



0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 11936585
The remote VPN concentrator must have the DMZ subnet in it's tunnel config:
i.e. traffic from 192.168.21.0 to 192.168.14.0 must be defined in the remote concentrator for the tunnel

Conversely, the VPN concentrator at your end needs to have the traffic from 192.168.14.0 to 192.168.21.0 defined as tunnel traffic.

And, the PIX2 must have a static route for 192.168.21.0 pointing to the VPN internal IP 10.1.100.x

0
 
LVL 1

Author Comment

by:thepilo
ID: 11941201
We have set 192.168.14.0 in network lists under policy management.  We have a route on the local vpn for 192.168.14.0 -> 10.1.100.9  

The web server has a static route for 10.2.100.0 to the 192.168.14.1 firewall.  The switch has a route from all traffic on 10.1.100.0 to go to the local VPN 10.1.100.15

Not sure what I am missing....
0
 

Expert Comment

by:jaysonjennings
ID: 11949263
Perform a debug packet inside on PIX2 for traffic destined towards the DMZ from the source of the remote network.  Thus get you some visibility;
If you have version 4 of the VPN conc code, you can perform a traceroute to determine the VPN knows the location of the DMZ.  As lrmoore indicates, OSPF would be a nice solution.
0
 
LVL 1

Author Comment

by:thepilo
ID: 11968612
We have goe the solution.  There was no static allowing traffic from the DMZ back to the 10.2.x.x network.  We have added that, and are good to go for that network.  We have one last issue of adding the 192.168.14.0/24 network to a 506E firewall/VPN   And idea on how to set the network list like you can in the concentrator under policy management?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11968788
You add it to the access-list called out in the "match access-list xxxx" under the crytpo map
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question