«

Here is my problem. I have a client based vpngroup named xxxxxxxxx.
This works great except that I can't access any of the machines I have
on my DMZ through the VPN. I have a feeling it's an access-list issue,
but for the life of me I can't seem to find it. Maybe my brain has
finally melted. Occupational hazard I guess.

I think I've included all of the necessary config commands.
Any help is greatly appreciated.

Oh yeah PIX version 6.3(1)

access-list 210 permit ip vvv.20.1.0 255.255.255.0 yyy.16.23.0
255.255.255.240
access-list 210 permit ip xxx.1.0.0 255.255.0.0 yyy.16.23.0
255.255.255.240
access-list 210 permit ip yyy.0.0.0 255.0.0.0 yyy.16.23.0
255.255.255.240
access-list 210 permit ip zzz.zzz.0.0 255.255.0.0 yyy.16.23.0
255.255.255.240
access-list 210 permit ip yyy.16.23.0 255.255.255.240 vvv.20.1.0
255.255.255.0
access-list 210 remark Lines 6-10 are for xxxxxxxxx VPN Access

access-list dmz100 permit ip vvv.20.1.0 255.255.255.0 yyy.16.23.0
255.255.255.240
access-list dmz100 deny ip vvv.20.1.0 255.255.255.0 zzz.zzz.0.0
255.255.0.0
access-list dmz100 deny ip vvv.20.1.0 255.255.255.0 172.0.0.0
255.0.0.0
access-list dmz100 permit ip vvv.20.1.0 255.255.255.0 any

ip address inside yyy.16.0.101 255.255.0.0
ip address DMZ vvv.20.1.1 255.255.255.0

ip local pool 4thpool yyy.16.23.1-yyy.16.23.12

access-group dmz100 in interface DMZ

vpngroup xxxxxxxxx address-pool 4thpool
vpngroup xxxxxxxxx dns-server yyy.16.0.2
vpngroup xxxxxxxxx wins-server yyy.16.0.2
vpngroup xxxxxxxxx default-domain xxx.xxx.xxx.xxx
vpngroup xxxxxxxxx split-tunnel 210
vpngroup xxxxxxxxx idle-time 1800
vpngroup xxxxxxxxx password ********

On Fri, 16 Jan 2004 17:33:29 -0600, Roland wrote:

> Here is my problem. I have a client based vpngroup named xxxxxxxxx. This
> works great except that I can't access any of the machines I have on my
> DMZ through the VPN. I have a feeling it's an access-list issue, but for
> the life of me I can't seem to find it. Maybe my brain has finally
> melted. Occupational hazard I guess.
>
> I think I've included all of the necessary config commands. Any help is
> greatly appreciated.
> <snip>

Are you using nat 0? What do you have for the dmz if you are? Use
separate acl for inside/dmz nat 0 as well, or you run the risk of
overlapping the two.

Rik Bain

Post the enire config (change the public IPs to a.b.c.x and drop the
username/password) and I'll have a look.

Regards,

Scott.
\|/
(o o)
---------------------oOOO--(_)--OOOo----------------------
Out the 100Base-T, off the firewall, through the router, down
the T1, over the leased line, off the bridge, nothing but Net.
(Use ROT13 to see my email address)
.oooO Oooo.
----------------------( )---( )-----------------------
\ ( ) /
\_) (_/


"Roland" <> wrote in message
news: om...
> Here is my problem. I have a client based vpngroup named xxxxxxxxx.
> This works great except that I can't access any of the machines I have
> on my DMZ through the VPN. I have a feeling it's an access-list issue,
> but for the life of me I can't seem to find it. Maybe my brain has
> finally melted. Occupational hazard I guess.
>
> I think I've included all of the necessary config commands.
> Any help is greatly appreciated.
>
> Oh yeah PIX version 6.3(1)
>
> access-list 210 permit ip vvv.20.1.0 255.255.255.0 yyy.16.23.0
> 255.255.255.240
> access-list 210 permit ip xxx.1.0.0 255.255.0.0 yyy.16.23.0
> 255.255.255.240
> access-list 210 permit ip yyy.0.0.0 255.0.0.0 yyy.16.23.0
> 255.255.255.240
> access-list 210 permit ip zzz.zzz.0.0 255.255.0.0 yyy.16.23.0
> 255.255.255.240
> access-list 210 permit ip yyy.16.23.0 255.255.255.240 vvv.20.1.0
> 255.255.255.0
> access-list 210 remark Lines 6-10 are for xxxxxxxxx VPN Access
>
> access-list dmz100 permit ip vvv.20.1.0 255.255.255.0 yyy.16.23.0
> 255.255.255.240
> access-list dmz100 deny ip vvv.20.1.0 255.255.255.0 zzz.zzz.0.0
> 255.255.0.0
> access-list dmz100 deny ip vvv.20.1.0 255.255.255.0 172.0.0.0
> 255.0.0.0
> access-list dmz100 permit ip vvv.20.1.0 255.255.255.0 any
>
> ip address inside yyy.16.0.101 255.255.0.0
> ip address DMZ vvv.20.1.1 255.255.255.0
>
> ip local pool 4thpool yyy.16.23.1-yyy.16.23.12
>
> access-group dmz100 in interface DMZ
>
> vpngroup xxxxxxxxx address-pool 4thpool
> vpngroup xxxxxxxxx dns-server yyy.16.0.2
> vpngroup xxxxxxxxx wins-server yyy.16.0.2
> vpngroup xxxxxxxxx default-domain xxx.xxx.xxx.xxx
> vpngroup xxxxxxxxx split-tunnel 210
> vpngroup xxxxxxxxx idle-time 1800
> vpngroup xxxxxxxxx password ********

Rik Bain <> wrote in message news:< ainz.org>...
> On Fri, 16 Jan 2004 17:33:29 -0600, Roland wrote:
>
> > Here is my problem. I have a client based vpngroup named xxxxxxxxx. This
> > works great except that I can't access any of the machines I have on my
> > DMZ through the VPN. I have a feeling it's an access-list issue, but for
> > the life of me I can't seem to find it. Maybe my brain has finally
> > melted. Occupational hazard I guess.
> >
> > I think I've included all of the necessary config commands. Any help is
> > greatly appreciated.
> > <snip>
>
> Are you using nat 0? What do you have for the dmz if you are? Use
> separate acl for inside/dmz nat 0 as well, or you run the risk of
> overlapping the two.
>
> Rik Bain


Thanks Rik;
It was the nat 0 statement that I was missing on the DMZ interface. Dooh!
Roland