Solved

DMZ Access over VPN

Posted on 2004-08-30
9
406 Views
Last Modified: 2013-11-16
Here is the problem.

We have our DMZ on our Second Pix Firewall group.  We have a VPN that connects our 2 facilities using Cisco VPN Concentrators.  We can not get the VPN Traffic to route to the DMZ of the firewall.  Any ideas where the routing needs to be set up?  When doing a tracert we start loosing packets at the vpn.  When doing a tracert to the internat IP of the firewall, if makes it through?
0
Comment
Question by:thepilo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11935896
How is your VPN concentrator set up, with independent Internet access, or behind the PIX FW?

Internet
   |        |
 VPN    PIX - DMZ
   |____|
       |
     LAN

Does the VPN concentrator have a static route to the DMZ subnet pointing to the PIX?
Have you thought about enabling OSPF between the VPN 3000 and the PIX?

0
 
LVL 1

Author Comment

by:thepilo
ID: 11935950
The VPN is behind another PIX firewall that get's it to the out side.

Here is the setup

Our Side
T1-1    T1-2
 |           |
PIX        PIX ---DMZ
 |          |
 VPN      |
 |           |
 Switch--|

Remote Side

 T1
  |
 Pix
  |
 VPN
  |
Users
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11936048
The VPN 3000 on Your side should have a static route for the DMZ subnet pointing to the #2 PIX
PIX #2 with the DMZ should have a route statement for the remote side subnet pointing to the VPN..

Do you have networks defined that includes the DMZ subnet for inclusion inside the VPN tunnel?
Does the VPN concentrator on the remote side include the local-to-DMZ subnet traffic in the tunnel definitions?
Does the VPN concentrator at your end include the DMZ subnet-to-remote subnet traffic in the tunnel definitions?
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 1

Author Comment

by:thepilo
ID: 11936436
The VPN on our side has the followring route

192.168.14.0/255.255.255.0(IP subnet of DMZ) ->10.1.100.9 (Internal IP of PIX2)

The VPN Tunnel has it's own DMZ setup 192.168.11.0 for here, and 192.168.21.0 for remote site



0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 11936585
The remote VPN concentrator must have the DMZ subnet in it's tunnel config:
i.e. traffic from 192.168.21.0 to 192.168.14.0 must be defined in the remote concentrator for the tunnel

Conversely, the VPN concentrator at your end needs to have the traffic from 192.168.14.0 to 192.168.21.0 defined as tunnel traffic.

And, the PIX2 must have a static route for 192.168.21.0 pointing to the VPN internal IP 10.1.100.x

0
 
LVL 1

Author Comment

by:thepilo
ID: 11941201
We have set 192.168.14.0 in network lists under policy management.  We have a route on the local vpn for 192.168.14.0 -> 10.1.100.9  

The web server has a static route for 10.2.100.0 to the 192.168.14.1 firewall.  The switch has a route from all traffic on 10.1.100.0 to go to the local VPN 10.1.100.15

Not sure what I am missing....
0
 

Expert Comment

by:jaysonjennings
ID: 11949263
Perform a debug packet inside on PIX2 for traffic destined towards the DMZ from the source of the remote network.  Thus get you some visibility;
If you have version 4 of the VPN conc code, you can perform a traceroute to determine the VPN knows the location of the DMZ.  As lrmoore indicates, OSPF would be a nice solution.
0
 
LVL 1

Author Comment

by:thepilo
ID: 11968612
We have goe the solution.  There was no static allowing traffic from the DMZ back to the 10.2.x.x network.  We have added that, and are good to go for that network.  We have one last issue of adding the 192.168.14.0/24 network to a 506E firewall/VPN   And idea on how to set the network list like you can in the concentrator under policy management?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11968788
You add it to the access-list called out in the "match access-list xxxx" under the crytpo map
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question