Re: [fw-wiz] VPN/DMZ problem

Hi Ian,

What is the revision you are running? If 6.3 then make sure that there is a 'nat 0 access-list nonat' . This matches the ACL/ACLS below depending on how many you need to build for nonat. You need a nat 0 statement above for each interface matching the nonat access- list. If this is 6.3 then will have to work with the nat 0 nonat and nat <interface> 1 to make sure the regular traffic can still get to where it needs to go i.e. the internet. If it is 7.x and above then you have several choices many of which are the same here if you choose to have nat control turned on (off by default) and the sysopt permit-ipsec on or off. If you choose to have it on, then the configuration is the same as 6.3. If you have it off then you need ACLS on the outside interface for incoming traffic. One last note, don't forget ACLS on the ingress inside interfaces if you want bi- directional traffic.

access-list nonat permit ip <dmz subnet> - and so on

Chris Myers

John 1:17
For the Law was given through Moses; grace and truth were realized through Jesus Christ.

TIFF image

Go Vols!!!!

On Sep 2, 2008, at 5:06 AM, Ian Rarity wrote:


We're having a problem with our VPN; we have a PIX 515E with 4

Inside (security100) - Our internal LAN,
Outside (security0) - The Internet
Perimeter (security50) - DMZ,
Innerperimeter (security75) - "Inner" DMZ,

The VPN is a certificate/token-based set up, with VPN users being
assigned addresses from (don't ask me about the weird
addressing scheme; it was like that when I got here).

The problem we're having is that VPN users can't access hosts in either
of the DMZs, although they can see LAN hosts just fine. I'm assuming
that this is because the VPN traffic is coming in through the PIX's
"outside" interface, and the usual rule about traffic from interfaces
with a lower security level going to an interface with a higher one is

I've tried to override this with another access list, by "nat 0"-ing
the two DMZ interfaces, but external VPN users still can't see hosts in
the DMZs. Obviously I'm screwing up somewhere, but I'd be very grateful
if someone could tell me how.


Private and Confidential: This e-mail transmission is strictly
confidential and intended solely for the addressee. It may contain
privileged and confidential information and if you are not the
intended recipient, you must not copy, disclose, distribute or
take any action in reliance on it. If you have received this
e-mail in error, please delete it and notify our E-mail Systems
Administrator on +44 (0) 131 624 8000. ESPC (UK) Ltd does not
accept any liability for any harm that may be caused to the
recipient's system or data by this message or any attachment.

ESPC (UK) Ltd is a company registered under the Companies
Acts in Scotland (Registered Number SC203535), and having its
registered office at 90A George Street, Edinburgh, Midlothian
EH2 3DF.

ESPC (UK) Limited is authorised and regulated by the Financial
Services Authority.
firewall-wizards mailing list

firewall-wizards mailing list

Relevant Pages