Firewall Wizards mailing list archives

VPN/DMZ problem

From: "Ian Rarity" <Ian.Rarity () espc com>
Date: Tue, 02 Sep 2008 11:06:25 +0100

Hi,

We're having a problem with our VPN; we have a PIX 515E with 4
interfaces:

Inside (security100) - Our internal LAN, 150.150.10.0/24
Outside (security0) - The Internet
Perimeter (security50) - DMZ, 172.16.1.0/24
Innerperimeter (security75) - "Inner" DMZ, 150.150.11.0/24

The VPN is a certificate/token-based set up, with VPN users being
assigned addresses from 150.150.62.0/24 (don't ask me about the weird
addressing scheme; it was like that when I got here).

The problem we're having is that VPN users can't access hosts in either
of the DMZs, although they can see LAN hosts just fine.  I'm assuming
that this is because the VPN traffic is coming in through the PIX's
"outside" interface, and the usual rule about traffic from interfaces
with a lower security level going to an interface with a higher one is
applying.

I've tried to override this with another access list, by "nat 0"-ing
the two DMZ interfaces, but external VPN users still can't see hosts in
the DMZs.  Obviously I'm screwing up somewhere, but I'd be very grateful
if someone could tell me how.

Ta,
IR.


*******************************************************************
Private and Confidential:  This e-mail transmission is strictly 
confidential and intended solely for the addressee.  It may contain
privileged and confidential information and if you are not the 
intended recipient, you must not copy, disclose, distribute or 
take any action in reliance on it. If you have received this 
e-mail in error, please delete it and notify our E-mail Systems 
Administrator on +44 (0) 131 624 8000. ESPC (UK) Ltd does not 
accept any liability for any harm that may be caused to the 
recipient's system or data by this message or any attachment. 

ESPC (UK) Ltd is a company registered under the Companies 
Acts in Scotland (Registered Number SC203535), and having its
registered office at 90A George Street, Edinburgh, Midlothian 
EH2 3DF.

ESPC (UK) Limited is authorised and regulated by the Financial 
Services Authority.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

VPN/DMZ problem Ian Rarity (Sep 03)
- Re: VPN/DMZ problem Chris Myers (Sep 04)
- Re: VPN/DMZ problem Christopher J. Wargaski (Sep 04)
  - Re: VPN/DMZ problem Ian Rarity (Sep 10)
  - Re: VPN/DMZ problem ॐ aditya mukadam ॐ (Sep 10)