Firewall Wizards mailing list archives
VPN/DMZ problem
From: "Ian Rarity" <Ian.Rarity () espc com>
Date: Tue, 02 Sep 2008 11:06:25 +0100
Hi, We're having a problem with our VPN; we have a PIX 515E with 4 interfaces: Inside (security100) - Our internal LAN, 150.150.10.0/24 Outside (security0) - The Internet Perimeter (security50) - DMZ, 172.16.1.0/24 Innerperimeter (security75) - "Inner" DMZ, 150.150.11.0/24 The VPN is a certificate/token-based set up, with VPN users being assigned addresses from 150.150.62.0/24 (don't ask me about the weird addressing scheme; it was like that when I got here). The problem we're having is that VPN users can't access hosts in either of the DMZs, although they can see LAN hosts just fine. I'm assuming that this is because the VPN traffic is coming in through the PIX's "outside" interface, and the usual rule about traffic from interfaces with a lower security level going to an interface with a higher one is applying. I've tried to override this with another access list, by "nat 0"-ing the two DMZ interfaces, but external VPN users still can't see hosts in the DMZs. Obviously I'm screwing up somewhere, but I'd be very grateful if someone could tell me how. Ta, IR. ******************************************************************* Private and Confidential: This e-mail transmission is strictly confidential and intended solely for the addressee. It may contain privileged and confidential information and if you are not the intended recipient, you must not copy, disclose, distribute or take any action in reliance on it. If you have received this e-mail in error, please delete it and notify our E-mail Systems Administrator on +44 (0) 131 624 8000. ESPC (UK) Ltd does not accept any liability for any harm that may be caused to the recipient's system or data by this message or any attachment. ESPC (UK) Ltd is a company registered under the Companies Acts in Scotland (Registered Number SC203535), and having its registered office at 90A George Street, Edinburgh, Midlothian EH2 3DF. ESPC (UK) Limited is authorised and regulated by the Financial Services Authority. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPN/DMZ problem Ian Rarity (Sep 03)
- Re: VPN/DMZ problem Chris Myers (Sep 04)
- Re: VPN/DMZ problem Christopher J. Wargaski (Sep 04)
- Re: VPN/DMZ problem Ian Rarity (Sep 10)
- Re: VPN/DMZ problem ॐ aditya mukadam ॐ (Sep 10)