[c-nsp] Remote Access VPN on PIX 6.3 accessing DMZ and other interfaces.

Prabhu Gurumurthy pgurumu at gmail.com
Wed Sep 27 14:34:28 EDT 2006 

Dave Lim wrote:
> Hi Group,
> 
> I have the following customer who have a Cisco PIX 6.3. They have a remote
> access IPsec VPN and everything is fine. They are able to connect and access
> the inside interface of the PIX. But recently, they want the Remote Access
> VPN clients to be able to access the other interfaces of the network.
> 
> So they intend to access DMZ, corp_net, lcs and suat.
> 
> 
> 
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmz security90
> nameif ethernet3 corp_net security95
> nameif ethernet4 lcs security98
> nameif ethernet5 suat security99
> 
> I am not very good with vpn. Can this be done?
> 
> I have tried adding the acl which indicates which type of traffic to encrypt
> in the tunnel but to no avail. When I do a show access-list there is no hits
> ie. 10.84.3.0/24 is the DMZ interface subnet.
> 
> access-list no_nat_vpn permit ip 10.84.3.0 255.255.255.0 172.16.10.0
> 255.255.255.0
> 
> 
> Posted some configuration that has got to do with the VPN.
> 
> access-list no_nat_vpn permit ip 10.84.2.0 255.255.255.0 172.16.10.0
> 255.255.255.0
> access-list split_tunnel permit ip 10.84.2.0 255.255.255.0 172.16.10.0
> 255.255.255.0
> ip local pool VPN_POOL 172.16.10.1-172.16.10.20
> 
> crypto ipsec transform-set STRONG1 esp-des esp-md5-hmac
> crypto dynamic-map DYNAMIC_VPN 10 set transform-set STRONG1
> crypto map SYNGAS_VPN 30 ipsec-isakmp dynamic DYNAMIC_VPN
> crypto map SYNGAS_VPN interface outside
> isakmp enable outside
> isakmp nat-traversal 20
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption des
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
> vpngroup gas_vpn address-pool VPN_POOL
> vpngroup gas_vpn wins-server 10.84.2.19 10.84.2.21
> vpngroup gas_vpn split-tunnel split_tunnel
> vpngroup gas_vpn idle-time 1800
> vpngroup gas_vpn user-idle-timeout 18000
> vpngroup gas_vpn password ********
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

Are DMZ, corp_net, lcs and suat on different subnets?.
If so, dont change anything on the VPN allowable access lists, but
add a static entry for the interfaces
template for static command is
static(high1,low1) low2 high2 mask 0

high1 is the interface at higher sec level
low1 is the interface at lower sec level

low2 is the IP address/subnet for the lower sec level
high2 is the IP address/subnet for the higher sec level.

Hope this helps
Prabhu
-

More information about the cisco-nsp mailing list