Re: [fw-wiz] VPN/DMZ problem


If you can get to the LAN resources and not to the DMZ resources, you
would need to check on :

1) Split tunneling : DMZ subnets should be allowed.
2) NAT 0 statement should be configured for traffic between DMZ and pool IP
3) Make sure there is a return route on the destination ( jus to
check...i understand that the default gateway on the DMZ devices would
be the PIX interface)
4) Check your machine's routing table for any static routes for the
destination subnets conflicting.

Pointers to troubleshoot:
* Atter connecting the VPN, send continuous ping to the DMZ
destination. Check on the VPN clients statistics if the packets are
getting encrypted. If you donot see the encrypted packets increasing,
then you have a local issue. It is either with split tunneling subnet
or a route on your local PC. If you can see encrypted count incresing
...then the next step would be to check on the PIX. Running wireshark
on the virtual adapter will be useful as well.

* do a sh crypto ipsec sa on the PIX. Check if you see traffic
decrypting. If there is an issue with return route, you would see
decrypts but no encrypts !

* You can run the command ' man-<interface name> command. By doing
this you can ping the PIX DMZ interface itself and troueblshoot.Thsi
will isolate issue with the return route etc on the destination
network. ( eg: your case it would be man-Perimeter )

Hope this helps. Let me know the results and we will take next
actions(fi needed)


On Thu, Sep 4, 2008 at 10:37 AM, Christopher J. Wargaski
<wargo1@xxxxxxxxx> wrote:
Hey Ian--

Are you using split-tunneling with the VPN? If so, make sure that the ACL
permits the DMZ.

On Tue, Sep 2, 2008 at 5:06 AM, Ian Rarity <Ian.Rarity@xxxxxxxx> wrote:


We're having a problem with our VPN; we have a PIX 515E with 4

Inside (security100) - Our internal LAN,
Outside (security0) - The Internet
Perimeter (security50) - DMZ,
Innerperimeter (security75) - "Inner" DMZ,

The VPN is a certificate/token-based set up, with VPN users being
assigned addresses from (don't ask me about the weird
addressing scheme; it was like that when I got here).

The problem we're having is that VPN users can't access hosts in either
of the DMZs, although they can see LAN hosts just fine. I'm assuming
that this is because the VPN traffic is coming in through the PIX's
"outside" interface, and the usual rule about traffic from interfaces
with a lower security level going to an interface with a higher one is

I've tried to override this with another access list, by "nat 0"-ing
the two DMZ interfaces, but external VPN users still can't see hosts in
the DMZs. Obviously I'm screwing up somewhere, but I'd be very grateful
if someone could tell me how.


Private and Confidential: This e-mail transmission is strictly
confidential and intended solely for the addressee. It may contain
privileged and confidential information and if you are not the
intended recipient, you must not copy, disclose, distribute or
take any action in reliance on it. If you have received this
e-mail in error, please delete it and notify our E-mail Systems
Administrator on +44 (0) 131 624 8000. ESPC (UK) Ltd does not
accept any liability for any harm that may be caused to the
recipient's system or data by this message or any attachment.

ESPC (UK) Ltd is a company registered under the Companies
Acts in Scotland (Registered Number SC203535), and having its
registered office at 90A George Street, Edinburgh, Midlothian
EH2 3DF.

ESPC (UK) Limited is authorised and regulated by the Financial
Services Authority.
firewall-wizards mailing list

firewall-wizards mailing list

firewall-wizards mailing list

Relevant Pages

  • [fw-wiz] Double firewall setup (long)
    ... One PIX 515E w/ 3 interfaces: inside, outside, DMZ. ... access-list OUTB permit tcp any eq www ... interface ethernet0 auto ...
  • Re: A Tale of Two PIXes
    ... From the inside interface, the PIX attaches to out 6509 ... and there is no DMZ. ... >working through the 4MB connection. ...
  • [fw-wiz] Help neeed with Cisco PIX 515 config
    ... problems on my PIX 515 at home and had some questions, ... It is a private network between the voip and the pix outside interface. ... I'm first trying to clean the config up some and get the dmz interface ... fixup protocol dns maximum-length 512 ...
  • Re: PIX VPN to both DMZ and INSIDE segments
    ... :meant to say that some people need access to the DMZ and some to the ... :DMZ it's just another interface. ... :now I want to create a way for the second group to VPN to the DMZ ... Suppose your PIX outside IP is ...
  • A Tale of Two PIXes
    ... That router is connected to a PIX 515 that has a DMZ off of one ... From the inside interface, the PIX attaches to out 6509 ... and there is no DMZ. ... PIX 515 to be accessible from the Internet connection that is across ...