Re: [fw-wiz] VPN/DMZ problem


If you can get to the LAN resources and not to the DMZ resources, you
would need to check on :

1) Split tunneling : DMZ subnets should be allowed.
2) NAT 0 statement should be configured for traffic between DMZ and pool IP
3) Make sure there is a return route on the destination ( jus to
check...i understand that the default gateway on the DMZ devices would
be the PIX interface)
4) Check your machine's routing table for any static routes for the
destination subnets conflicting.

Pointers to troubleshoot:
* Atter connecting the VPN, send continuous ping to the DMZ
destination. Check on the VPN clients statistics if the packets are
getting encrypted. If you donot see the encrypted packets increasing,
then you have a local issue. It is either with split tunneling subnet
or a route on your local PC. If you can see encrypted count incresing
...then the next step would be to check on the PIX. Running wireshark
on the virtual adapter will be useful as well.

* do a sh crypto ipsec sa on the PIX. Check if you see traffic
decrypting. If there is an issue with return route, you would see
decrypts but no encrypts !

* You can run the command ' man-<interface name> command. By doing
this you can ping the PIX DMZ interface itself and troueblshoot.Thsi
will isolate issue with the return route etc on the destination
network. ( eg: your case it would be man-Perimeter )

Hope this helps. Let me know the results and we will take next
actions(fi needed)


On Thu, Sep 4, 2008 at 10:37 AM, Christopher J. Wargaski
<wargo1@xxxxxxxxx> wrote:
Hey Ian--

Are you using split-tunneling with the VPN? If so, make sure that the ACL
permits the DMZ.

On Tue, Sep 2, 2008 at 5:06 AM, Ian Rarity <Ian.Rarity@xxxxxxxx> wrote:


We're having a problem with our VPN; we have a PIX 515E with 4

Inside (security100) - Our internal LAN,
Outside (security0) - The Internet
Perimeter (security50) - DMZ,
Innerperimeter (security75) - "Inner" DMZ,

The VPN is a certificate/token-based set up, with VPN users being
assigned addresses from (don't ask me about the weird
addressing scheme; it was like that when I got here).

The problem we're having is that VPN users can't access hosts in either
of the DMZs, although they can see LAN hosts just fine. I'm assuming
that this is because the VPN traffic is coming in through the PIX's
"outside" interface, and the usual rule about traffic from interfaces
with a lower security level going to an interface with a higher one is

I've tried to override this with another access list, by "nat 0"-ing
the two DMZ interfaces, but external VPN users still can't see hosts in
the DMZs. Obviously I'm screwing up somewhere, but I'd be very grateful
if someone could tell me how.


Private and Confidential: This e-mail transmission is strictly
confidential and intended solely for the addressee. It may contain
privileged and confidential information and if you are not the
intended recipient, you must not copy, disclose, distribute or
take any action in reliance on it. If you have received this
e-mail in error, please delete it and notify our E-mail Systems
Administrator on +44 (0) 131 624 8000. ESPC (UK) Ltd does not
accept any liability for any harm that may be caused to the
recipient's system or data by this message or any attachment.

ESPC (UK) Ltd is a company registered under the Companies
Acts in Scotland (Registered Number SC203535), and having its
registered office at 90A George Street, Edinburgh, Midlothian
EH2 3DF.

ESPC (UK) Limited is authorised and regulated by the Financial
Services Authority.
firewall-wizards mailing list

firewall-wizards mailing list

firewall-wizards mailing list