have some trouble with pix/vpn/dmz configuration.

szenario:

cisco pix (PIX-515E, ver 6.2(2)) configured with inside, outside, dmz
interfaces. additional vpn settings for remote users using cisco vpn
client ver 3.6.3(A) for win2k.

there is a server located in the dmz, reachable from inside.
remote users connected via vpn, should have access to this server too.

the vpn connections seems to be ok. i can create a vpn ipsec tunnel
from remote client. but i can not reach (using ping) the server.

during the ping test there are no packets coming back from the pix,
only the tx counter shows traffic.

pix config details:
(source: cisco online docu "configuring pix to pix dynamic-to-static-
ipsec with nat and cisco vpn client" - but it is without the dmz
thing)

############################################################
.
.
access-list acl_inside permit ip any any
access-list acl_inside permit icmp any any
access-list acl_inside deny ip any any
access-list acl_dmz permit icmp any any
access-list acl_dmz deny ip any any
access-list vpn permit ip 10.3.0.0 255.255.255.0 10.3.1.0
255.255.255.0
.
.
ip address outside xxx.xxx.xxx.xxx 255.255.255.192
ip address inside 192.168.0.1 255.255.255.252
ip address dmz 10.3.0.1 255.255.255.0
.
.
ip local pool vpn_ippool 10.3.1.1-10.3.1.254
.
.
global (ouside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list vpn
.
.
access-group acl_outside in interface outside
access-group acl_inside in interface inside
access-group acl_dmz in interface dmz
.
.
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp esp-md5-hash
crypto dynamic-map dynmap 1 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup myname address-pool vpn_ippool
vpngroup myname idle-time 1800
vpngroup mayname password mypw
.
############################################################

questions:
        o config snips detailed enough?
        o anything missconfigured?
        o anything additinonal infos needed (log, debug...)?
        o is there any strange pix behavior for that vpn thing?

final notes:
i also replaced dmz with inside settings - after that it was possible
to reach inside ip addresses.

hope you can give any useful advice

thnx

Hendrik Danz

I think the NAT-setting for your vpn-clients is false. Since the inside
interface has a higher security lever than the dmz interface, you should
define NAT for your vpn clients at the interface inside but not dmz.

Try to do either:
: direction from vpn clients to dmz
access-list vpn permit ip 10.3.1.0 255.255.255.0 10.3.0.0 255.255.255.0
: deactive dmz nat setting
no nat (dmz) 0 access-list vpn
: set nat for your vpn cients at the inside interface
nat(inside) 0 access-list vpn

or define a static for your vpn clients:

static (inside, dmz) 10.3.1.0 10.3.1.0 netmask 255.255.255.0

Regards,

Rickan

"Hendrik Danz" <hendrik.d...@gmx.net> schrieb im Newsbeitrag
news:d60a13d7.0301200244.2765e1b0@posting.google.com...

any further ideas?

rgds.
       hendrik

sorry, please forget my previous posting. your configuration was correct,
the "nat 0" must be deployed at the dmz interface and the access-list vpn
was also correct.

you may try to use "debug packet dmz dst ..." to see if any packets arrive
at the interface dmz.

Regards

rickan

"Hendrik Danz" <hendrik.d...@gmx.net> schrieb im Newsbeitrag
news:d60a13d7.0301200555.6cbc32fb@posting.google.com...

any further ideas for packet debug?
are there any other possibilities to check the vpn connection?
(counter for encrypted/decrypted packets in/out?)

i'm getting really confused by that

rgds.
    hendrik

the right way to check the connection is:
        debug packet dmz dst <server ip>
hey - there are packets to the server i want to reach
        debug packet dmz src <server ip>
no debug output
        debug packet dmz dst <client ip>
no debug output

there are packets into the dmz, but no packet comes back - strange.
looks like a missing route - but the server settings should be ok.
after a call i found out, that there was no default route at all on the
servers side. add a default route and everything works fine.

think it is important to stay in closer contact to customers befor spend
    hours in troubleshooting.

rgds.
        hendrik