[c-nsp] Remote Access VPN on PIX 6.3 accessing DMZ and other interfaces.

Dave Lim dave.daturax at gmail.com
Tue Sep 26 09:30:24 EDT 2006


Hi Group,

I have the following customer who have a Cisco PIX 6.3. They have a remote
access IPsec VPN and everything is fine. They are able to connect and access
the inside interface of the PIX. But recently, they want the Remote Access
VPN clients to be able to access the other interfaces of the network.

So they intend to access DMZ, corp_net, lcs and suat.



nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security90
nameif ethernet3 corp_net security95
nameif ethernet4 lcs security98
nameif ethernet5 suat security99

I am not very good with vpn. Can this be done?

I have tried adding the acl which indicates which type of traffic to encrypt
in the tunnel but to no avail. When I do a show access-list there is no hits
ie. 10.84.3.0/24 is the DMZ interface subnet.

access-list no_nat_vpn permit ip 10.84.3.0 255.255.255.0 172.16.10.0
255.255.255.0


Posted some configuration that has got to do with the VPN.

access-list no_nat_vpn permit ip 10.84.2.0 255.255.255.0 172.16.10.0
255.255.255.0
access-list split_tunnel permit ip 10.84.2.0 255.255.255.0 172.16.10.0
255.255.255.0
ip local pool VPN_POOL 172.16.10.1-172.16.10.20

crypto ipsec transform-set STRONG1 esp-des esp-md5-hmac
crypto dynamic-map DYNAMIC_VPN 10 set transform-set STRONG1
crypto map SYNGAS_VPN 30 ipsec-isakmp dynamic DYNAMIC_VPN
crypto map SYNGAS_VPN interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup gas_vpn address-pool VPN_POOL
vpngroup gas_vpn wins-server 10.84.2.19 10.84.2.21
vpngroup gas_vpn split-tunnel split_tunnel
vpngroup gas_vpn idle-time 1800
vpngroup gas_vpn user-idle-timeout 18000
vpngroup gas_vpn password ********


More information about the cisco-nsp mailing list