[c-nsp] Pix 515 Question :
Bryan
bryan at tec-works.com
Fri Oct 1 03:14:31 EDT 2004
It mainly has to do with permisions of your vpn setup. By default the Pix
doesn't allow traffic from DMZ to the LAN interface so you will have to
setup a rule to allow this to happen. If you are assigning your VPN users
an address out of the DMZ int pool it should be fairly straight forward.
Bryan
--
+---------------------------------------------------+
| Bryan Welch Direct:(425)844-8500 |
| Tec-Works LLC Cell: (206)920-5718 |
| Total Network Solutions Fax: (425)844-8637 |
| bryan at tec-works.com |
| |
| <<--WWW.TEC-WORKS.COM-->> |
+---------------------------------------------------+
On Tue, 28 Sep 2004, Jean-Philippe Le Henaff wrote:
> Date: Tue, 28 Sep 2004 11:00:42 +0200
> From: Jean-Philippe Le Henaff <togusa at free.fr>
> To: Bryan <bryan at tec-works.com>
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Pix 515 Question :
>
> In fact, I removed the whole configuration, so now, I don't have anything to
> show. I just wanted to know if someone can send me a "sample" configuration.
>
> my show ver :
> Cisco PIX Firewall Version 6.3(3)
> ...
> Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz
> Flash i28F640J5 @ 0x300, 16MB
> BIOS Flash AT29C257 @ 0xfffd8000, 32KB
>
> 0: ethernet0: address is 0050.54ff.0e10, irq 10
> 1: ethernet1: address is 0050.54ff.0e11, irq 7
> 2: ethernet2: address is 00e0.b601.0042, irq 9
> 3: ethernet3: address is 00e0.b601.0041, irq 9
> 4: ethernet4: address is 00e0.b601.0040, irq 9
> 5: ethernet5: address is 00e0.b601.003f, irq 9
>
> Thanks for your help
>
> JP
>
> Selon Bryan <bryan at tec-works.com>:
>
> > Can you send a copy of "show ver" and a "show config"
> >
> >
> >
> >
> > thanks,
> >
> > Bryan
> >
> > --
> > +---------------------------------------------------+
> > | Bryan Welch Direct:(425)844-8500 |
> > | Tec-Works LLC Cell: (206)920-5718 |
> > | Total Network Solutions Fax: (425)844-8637 |
> > | bryan at tec-works.com |
> > | |
> > | <<--WWW.TEC-WORKS.COM-->> |
> > +---------------------------------------------------+
> >
> >
> >
> > On Mon, 27 Sep 2004, Jean-Philippe Le Henaff wrote:
> >
> > > Date: Mon, 27 Sep 2004 15:49:42 +0200
> > > From: Jean-Philippe Le Henaff <togusa at free.fr>
> > > To: cisco-nsp at puck.nether.net
> > > Subject: [c-nsp] Pix 515 Question :
> > >
> > > Hello there,
> > >
> > > I have a Cisco Pix 515, I want to do a VPN on the DMZ interface and I want
> > those
> > > VPN users to be able to see my inside interface, and the outside interface
> > >
> > > It looks like this :
> > >
> > >
> > > Internet------(outside 1.1.1.128/25)[PIX](inside 10.0.0.0/8)-----LAN
> > > |
> > > |
> > > (DMZ 1.1.1.0/25)
> > > |
> > >
> > > In fact, I need that VPN users connects on the DMZ interface (1.1.1.122),
> > to be
> > > able to see computers on the inside interface and also be able to surf on
> > the
> > > web with the connection.
> > >
> > > For the moment, I tried to configure and it doesn't work as I want.
> > > I have that kind of errors :Sep 27 11:31:28 10.185.1.202 :Sep 27 11:27:13
> > CEDT:
> > > %PIX-3-106011: Deny inbound (No xlate) tcp src DMZ:10.185.1.14/2219 dst
> > > DMZ:213.228.61.14/80
> > > Sep 27 11:27:13 CEDT: %PIX-3-106011: Deny inbound (No xlate) tcp src
> > > DMZ:10.185.1.14/2220 dst DMZ:213.228.61.14/80
> > > Sep 27 11:27:16 CEDT: %PIX-3-106011: Deny inbound (No xlate) tcp src
> > > DMZ:10.185.1.14/2219 dst DMZ:213.228.61.14/80
> > >
> > > Thanks for help
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
> >
>
>
>
>
More information about the cisco-nsp
mailing list