[c-nsp] Pix 515 Question :

Jean-Philippe Le Henaff togusa at free.fr
Fri Oct 1 08:27:34 EDT 2004


This is ok, VPN users can connect on my LAN, but they are unable to browse
internet from their VPN connection.

JP

Selon Bryan <bryan at tec-works.com>:

> It mainly has to do with permisions of your vpn setup.  By default the Pix
> doesn't allow traffic from DMZ to the LAN interface so you will have to
> setup a rule to allow this to happen.  If you are assigning your VPN users
> an address out of the DMZ int pool it should be fairly straight forward.
>
>
>
>
>
> Bryan
>
> --
> +---------------------------------------------------+
> | Bryan Welch                  Direct:(425)844-8500 |
> | Tec-Works LLC                Cell:  (206)920-5718 |
> |  Total Network Solutions     Fax:   (425)844-8637 |
> |                              bryan at tec-works.com  |
> |                                                   |
> |            <<--WWW.TEC-WORKS.COM-->>              |
> +---------------------------------------------------+
>
>
>
> On Tue, 28 Sep 2004, Jean-Philippe Le Henaff wrote:
>
> > Date: Tue, 28 Sep 2004 11:00:42 +0200
> > From: Jean-Philippe Le Henaff <togusa at free.fr>
> > To: Bryan <bryan at tec-works.com>
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] Pix 515 Question :
> >
> > In fact, I removed the whole configuration, so now, I don't have anything
> to
> > show. I just wanted to know if someone can send me a "sample"
> configuration.
> >
> > my show ver :
> > Cisco PIX Firewall Version 6.3(3)
> > ...
> > Hardware:   PIX-515, 64 MB RAM, CPU Pentium 200 MHz
> > Flash i28F640J5 @ 0x300, 16MB
> > BIOS Flash AT29C257 @ 0xfffd8000, 32KB
> >
> > 0: ethernet0: address is 0050.54ff.0e10, irq 10
> > 1: ethernet1: address is 0050.54ff.0e11, irq 7
> > 2: ethernet2: address is 00e0.b601.0042, irq 9
> > 3: ethernet3: address is 00e0.b601.0041, irq 9
> > 4: ethernet4: address is 00e0.b601.0040, irq 9
> > 5: ethernet5: address is 00e0.b601.003f, irq 9
> >
> > Thanks for your help
> >
> > JP
> >
> > Selon Bryan <bryan at tec-works.com>:
> >
> > > Can you send a copy of "show ver" and a "show config"
> > >
> > >
> > >
> > >
> > > thanks,
> > >
> > > Bryan
> > >
> > > --
> > > +---------------------------------------------------+
> > > | Bryan Welch                  Direct:(425)844-8500 |
> > > | Tec-Works LLC                Cell:  (206)920-5718 |
> > > |  Total Network Solutions     Fax:   (425)844-8637 |
> > > |                              bryan at tec-works.com  |
> > > |                                                   |
> > > |            <<--WWW.TEC-WORKS.COM-->>              |
> > > +---------------------------------------------------+
> > >
> > >
> > >
> > > On Mon, 27 Sep 2004, Jean-Philippe Le Henaff wrote:
> > >
> > > > Date: Mon, 27 Sep 2004 15:49:42 +0200
> > > > From: Jean-Philippe Le Henaff <togusa at free.fr>
> > > > To: cisco-nsp at puck.nether.net
> > > > Subject: [c-nsp] Pix 515 Question :
> > > >
> > > > Hello there,
> > > >
> > > > I have a Cisco Pix 515, I want to do a VPN on the DMZ interface and I
> want
> > > those
> > > > VPN users to be able to see my inside interface, and the outside
> interface
> > > >
> > > > It looks like this :
> > > >
> > > >
> > > > Internet------(outside 1.1.1.128/25)[PIX](inside 10.0.0.0/8)-----LAN
> > > >                                       |
> > > >                                       |
> > > >                                 (DMZ 1.1.1.0/25)
> > > >                                       |
> > > >
> > > > In fact, I need that VPN users connects on the DMZ interface
> (1.1.1.122),
> > > to be
> > > > able to see computers on the inside interface and also be able to surf
> on
> > > the
> > > > web with the connection.
> > > >
> > > > For the moment, I tried to configure and it doesn't work as I want.
> > > > I have that kind of errors :Sep 27 11:31:28 10.185.1.202 :Sep 27
> 11:27:13
> > > CEDT:
> > > > %PIX-3-106011: Deny inbound (No xlate) tcp src DMZ:10.185.1.14/2219 dst
> > > > DMZ:213.228.61.14/80
> > > > Sep 27 11:27:13 CEDT: %PIX-3-106011: Deny inbound (No xlate) tcp src
> > > > DMZ:10.185.1.14/2220 dst DMZ:213.228.61.14/80
> > > > Sep 27 11:27:16 CEDT: %PIX-3-106011: Deny inbound (No xlate) tcp src
> > > > DMZ:10.185.1.14/2219 dst DMZ:213.228.61.14/80
> > > >
> > > > Thanks for help
> > > >
> > > > _______________________________________________
> > > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > > >
> > >
> > >
> >
> >
> >
> >
>
>





More information about the cisco-nsp mailing list