«

Hello.

I don't see a way around this problem and I am hoping someone can point
me in the right direction.

I want the VPN users to only access the systems in the DMZ. I have to add
this line for them to do so.

static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0

But with that line, the servers in the DMZ can not access the internet.
Everything else is working perfect and the ACLs are working great.

How can I go about doing this?

Full config below.

Thanks for any and all help
Eddie

------------------------------
enable

config term

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50

hostname RSC
domain-name example.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
names
pager lines 24
enable

config term

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50

hostname RSC
domain-name example.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
names
pager lines 24
no logging on

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto


mtu outside 1500
mtu inside 1500
mtu dmz 1500

ip address outside 11.146.146.151 255.255.255.240
ip address inside 172.16.1.5 255.255.0.0
ip address dmz 172.30.1.1 255.255.0.0


arp timeout 14400

:No NAT for inside host to access the DMZ
access-list 60 permit ip 172.30.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list 60 permit ip 172.16.0.0 255.255.0.0 172.30.0.0 255.255.0.0

:No NAT for any store
access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list 60 permit ip 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
access-list 60 permit ip 172.16.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list 60 permit ip 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0
nat 0 access-list 60


::Needed so the clients on the VPN can talk to the servers on the DMZ
static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0


:############################################
:Limited Access from Stores
access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 80
access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 8080
:access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 22
access-list 71 permit udp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 53
access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0 echo-reply

access-list 71 deny ip any any
access-group 71 in interface outside
:#############################################


:################################################# ######
:Limit Access from the office to the stores to select systems.

access-list 100 permit ip 172.16.1.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list 100 deny ip any 172.20.0.0 255.255.0.0

:Stuff to limit office access to web here
access-list 100 permit ip any any

access-group 100 in interface inside
:################################################# #######


:################################################# ####
:ACL for DMZ systems
:We will also need to give the DMZ limited internet access.

:We do like to ping
access-list 70 permit icmp any any echo-reply

:Ban acess to inside networks.
access-list 70 deny ip any 172.16.0.0 255.255.0.0
:May also need to ban access to stores.

:Internet Access to the DMZ
access-list 70 permit ip any any

eny everything else
:access-list 70 deny ip any any

:Lets try it
access-group 70 in interface dmz
:################################################# #


nat (inside) 1 0 0
nat (dmz) 1 0 0

global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 12.145.146.145

no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
no rip dmz passive
no rip dmz default


timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
crypto ipsec transform-set strong esp-aes-256


:Store201
access-list 201_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.201.0 255.255.255.0
access-list 201_ipsec permit ip 172.16.0.0 255.255.0.0 172.20.201.0 255.255.255.0
crypto map ToStore 10 ipsec-isakmp
crypto map ToStore 10 match address 201_ipsec
crypto map ToStore 10 set peer 11.146.146.152
crypto map ToStore 10 set transform-set strong
crypto map ToStore interface outside

:Store212
access-list 212_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.212.0 255.255.255.0
access-list 212_ipsec permit ip 172.16.0.0 255.255.0.0 172.20.212.0 255.255.255.0
crypto map ToStore 12 ipsec-isakmp
crypto map ToStore 12 match address 212_ipsec
crypto map ToStore 12 set peer 11.146.146.153
crypto map ToStore 12 set transform-set strong
crypto map ToStore interface outside

isakmp enable outside
isakmp key cisco1234 address 11.146.146.152 netmask 255.255.255.255
isakmp key cisco1234 address 11.146.146.153 netmask 255.255.255.255
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption aes-256
isakmp policy 8 lifetime 120
isakmp policy 8 hash md5

http 172.16.0.0 255.255.0.0
http server enable

logg c 7
logg on


no logging on

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto


mtu outside 1500
mtu inside 1500
mtu dmz 1500

ip address outside 11.146.146.151 255.255.255.240
ip address inside 172.16.1.5 255.255.0.0
ip address dmz 172.30.1.1 255.255.0.0


arp timeout 14400

:No NAT for inside host to access the DMZ
access-list 60 permit ip 172.30.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list 60 permit ip 172.16.0.0 255.255.0.0 172.30.0.0 255.255.0.0

:No NAT for any store
access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list 60 permit ip 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
access-list 60 permit ip 172.16.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list 60 permit ip 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0
nat 0 access-list 60


::Needed so the clients on the VPN can talk to the servers on the DMZ
static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0


:############################################
:Limited Access from Stores. We only want the stores accessing select
things on the DMZ
access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 80
access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 8080
:access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 22
access-list 71 permit udp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 53
access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0 echo-reply

access-list 71 deny ip any any
access-group 71 in interface outside
:#############################################


:################################################# ######
Limit Access from the office to the stores to select systems on the
inside interface.

access-list 100 permit ip 172.16.1.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list 100 deny ip any 172.20.0.0 255.255.0.0

:Stuff to limit office access to web here
access-list 100 permit ip any any

access-group 100 in interface inside
:################################################# #######


:################################################# ####
:ACL for DMZ systems
:We will also need to give the DMZ limited internet access.

:We do like to ping
access-list 70 permit icmp any any echo-reply

:Ban acess to inside networks.
access-list 70 deny ip any 172.16.0.0 255.255.0.0
:May also need to ban access to stores.

:Internet Access to the DMZ. Temp
access-list 70 permit ip any any

eny everything else
:access-list 70 deny ip any any

:Lets try it
access-group 70 in interface dmz
:################################################# #

:NAT the inside
nat (inside) 1 0 0

:NAT the dmz
nat (dmz) 1 0 0

AT the bunny
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 11.146.146.145

:We don't use RIP so turn it off.
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
no rip dmz passive
no rip dmz default


timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
crypto ipsec transform-set strong esp-aes-256


:Store201
access-list 201_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.201.0 255.255.255.0
access-list 201_ipsec permit ip 172.16.0.0 255.255.0.0 172.20.201.0 255.255.255.0
crypto map ToStore 10 ipsec-isakmp
crypto map ToStore 10 match address 201_ipsec
crypto map ToStore 10 set peer 11.146.146.152
crypto map ToStore 10 set transform-set strong
crypto map ToStore interface outside

:Store212
access-list 212_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.212.0 255.255.255.0
access-list 212_ipsec permit ip 172.16.0.0 255.255.0.0 172.20.212.0 255.255.255.0
crypto map ToStore 12 ipsec-isakmp
crypto map ToStore 12 match address 212_ipsec
crypto map ToStore 12 set peer 11.146.146.153
crypto map ToStore 12 set transform-set strong
crypto map ToStore interface outside

:General IPSEC stuff for all stores
isakmp enable outside
isakmp key cisco1234 address 11.146.146.152 netmask 255.255.255.255
isakmp key cisco1234 address 11.146.146.153 netmask 255.255.255.255
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption aes-256
isakmp policy 8 lifetime 120
isakmp policy 8 hash md5


http 172.16.0.0 255.255.0.0
http server enable

logg c 7
logg on

>
> :No NAT for inside host to access the DMZ
> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.16.0.0 255.255.0.0
> access-list 60 permit ip 172.16.0.0 255.255.0.0 172.30.0.0 255.255.0.0
>

this is accomplished as follows

static (inside,dmz) 172.16.0.0 172.16.0.0 255.255.0.0

> :No NAT for any store
> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0 255.255.0.0
> access-list 60 permit ip 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 # don't need this
> access-list 60 permit ip 172.16.0.0 255.255.0.0 172.20.0.0 255.255.0.0
> access-list 60 permit ip 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0 # don't need this
> nat 0 access-list 60

You only need to do the remote, local acl entries for nat 0

>
>
> ::Needed so the clients on the VPN can talk to the servers on the DMZ
> static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0
>
Nope. In this case, something LIKE acl 71 takes care of that - I say
like because you have the syntax reverse. It should be of the type:

access-list 71 permit tcp 172.30.0.0 255.255.0.0 172.20.0.0 255.255.0.0
eq 80

in other words, local net traffic to remote net will be tunneled
And the other side would have the mirror image. Same thing goes for any
other vpn peer nets.

>
> :############################################
> :Limited Access from Stores
> access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 80
> access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 8080
> :access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 22
> access-list 71 permit udp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 53
> access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
> access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0 echo-reply
>
> access-list 71 deny ip any any
> access-group 71 in interface outside
> :#############################################
>
>
> :################################################# ######
> :Limit Access from the office to the stores to select systems.
>
> access-list 100 permit ip 172.16.1.0 255.255.255.0 172.20.0.0 255.255.0.0
> access-list 100 deny ip any 172.20.0.0 255.255.0.0
>
> :Stuff to limit office access to web here
> access-list 100 permit ip any any
>
> access-group 100 in interface inside
> :################################################# #######
>
>
> :################################################# ####
> :ACL for DMZ systems
> :We will also need to give the DMZ limited internet access.
>
> :We do like to ping
> access-list 70 permit icmp any any echo-reply
>
> :Ban acess to inside networks.
> access-list 70 deny ip any 172.16.0.0 255.255.0.0
> :May also need to ban access to stores.
>
> :Internet Access to the DMZ
> access-list 70 permit ip any any
>
> eny everything else
> :access-list 70 deny ip any any
>
> :Lets try it
> access-group 70 in interface dmz
> :################################################# #
>
>
> nat (inside) 1 0 0
> nat (dmz) 1 0 0
>
> global (outside) 1 interface
> route outside 0.0.0.0 0.0.0.0 12.145.146.145
>
> no rip outside passive
> no rip outside default
> no rip inside passive
> no rip inside default
> no rip dmz passive
> no rip dmz default
>
>
> timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> timeout rpc 0:10:00 h323 0:05:00
> timeout uauth 0:05:00 absolute
>
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> crypto ipsec transform-set strong esp-aes-256
>
>
> :Store201
> access-list 201_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.201.0 255.255.255.0
> access-list 201_ipsec permit ip 172.16.0.0 255.255.0.0 172.20.201.0 255.255.255.0
> crypto map ToStore 10 ipsec-isakmp
> crypto map ToStore 10 match address 201_ipsec
> crypto map ToStore 10 set peer 11.146.146.152
> crypto map ToStore 10 set transform-set strong
> crypto map ToStore interface outside
>
> :Store212
> access-list 212_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.212.0 255.255.255.0
> access-list 212_ipsec permit ip 172.16.0.0 255.255.0.0 172.20.212.0 255.255.255.0
> crypto map ToStore 12 ipsec-isakmp
> crypto map ToStore 12 match address 212_ipsec
> crypto map ToStore 12 set peer 11.146.146.153
> crypto map ToStore 12 set transform-set strong
> crypto map ToStore interface outside
>
> isakmp enable outside
> isakmp key cisco1234 address 11.146.146.152 netmask 255.255.255.255
> isakmp key cisco1234 address 11.146.146.153 netmask 255.255.255.255
> isakmp policy 8 authentication pre-share
> isakmp policy 8 encryption aes-256
> isakmp policy 8 lifetime 120
> isakmp policy 8 hash md5
>
> http 172.16.0.0 255.255.0.0
> http server enable
>
> logg c 7
> logg on
>
>
> no logging on
>
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet2 auto
>
>
> mtu outside 1500
> mtu inside 1500
> mtu dmz 1500
>
> ip address outside 11.146.146.151 255.255.255.240
> ip address inside 172.16.1.5 255.255.0.0
> ip address dmz 172.30.1.1 255.255.0.0
>
>
> arp timeout 14400
>
> :No NAT for inside host to access the DMZ
> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.16.0.0 255.255.0.0
> access-list 60 permit ip 172.16.0.0 255.255.0.0 172.30.0.0 255.255.0.0
>
> :No NAT for any store
> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0 255.255.0.0
> access-list 60 permit ip 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
> access-list 60 permit ip 172.16.0.0 255.255.0.0 172.20.0.0 255.255.0.0
> access-list 60 permit ip 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0
> nat 0 access-list 60
>
>
> ::Needed so the clients on the VPN can talk to the servers on the DMZ
> static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0
>
>
> :############################################
> :Limited Access from Stores. We only want the stores accessing select
> things on the DMZ
> access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 80
> access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 8080
> :access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 22
> access-list 71 permit udp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 53
> access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
> access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0 echo-reply
>
> access-list 71 deny ip any any
> access-group 71 in interface outside
> :#############################################
>
>
> :################################################# ######
> Limit Access from the office to the stores to select systems on the
> inside interface.
>
> access-list 100 permit ip 172.16.1.0 255.255.255.0 172.20.0.0 255.255.0.0
> access-list 100 deny ip any 172.20.0.0 255.255.0.0
>
> :Stuff to limit office access to web here
> access-list 100 permit ip any any
>
> access-group 100 in interface inside
> :################################################# #######
>
>
> :################################################# ####
> :ACL for DMZ systems
> :We will also need to give the DMZ limited internet access.
>
> :We do like to ping
> access-list 70 permit icmp any any echo-reply
>
> :Ban acess to inside networks.
> access-list 70 deny ip any 172.16.0.0 255.255.0.0
> :May also need to ban access to stores.
>
> :Internet Access to the DMZ. Temp
> access-list 70 permit ip any any
>
> eny everything else
> :access-list 70 deny ip any any
>
> :Lets try it
> access-group 70 in interface dmz
> :################################################# #
>
> :NAT the inside
> nat (inside) 1 0 0
>
> :NAT the dmz
> nat (dmz) 1 0 0
>
> AT the bunny
> global (outside) 1 interface
> route outside 0.0.0.0 0.0.0.0 11.146.146.145
>
> :We don't use RIP so turn it off.
> no rip outside passive
> no rip outside default
> no rip inside passive
> no rip inside default
> no rip dmz passive
> no rip dmz default
>
>
> timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> timeout rpc 0:10:00 h323 0:05:00
> timeout uauth 0:05:00 absolute
>
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> crypto ipsec transform-set strong esp-aes-256
>
>
> :Store201
> access-list 201_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.201.0 255.255.255.0
> access-list 201_ipsec permit ip 172.16.0.0 255.255.0.0 172.20.201.0 255.255.255.0
> crypto map ToStore 10 ipsec-isakmp
> crypto map ToStore 10 match address 201_ipsec
> crypto map ToStore 10 set peer 11.146.146.152
> crypto map ToStore 10 set transform-set strong
> crypto map ToStore interface outside
>
> :Store212
> access-list 212_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.212.0 255.255.255.0
> access-list 212_ipsec permit ip 172.16.0.0 255.255.0.0 172.20.212.0 255.255.255.0
> crypto map ToStore 12 ipsec-isakmp
> crypto map ToStore 12 match address 212_ipsec
> crypto map ToStore 12 set peer 11.146.146.153
> crypto map ToStore 12 set transform-set strong
> crypto map ToStore interface outside
>
> :General IPSEC stuff for all stores
> isakmp enable outside
> isakmp key cisco1234 address 11.146.146.152 netmask 255.255.255.255
> isakmp key cisco1234 address 11.146.146.153 netmask 255.255.255.255
> isakmp policy 8 authentication pre-share
> isakmp policy 8 encryption aes-256
> isakmp policy 8 lifetime 120
> isakmp policy 8 hash md5
>
>
> http 172.16.0.0 255.255.0.0
> http server enable
>
> logg c 7
> logg on

oops caught one mistake in my response. should read...

>> :No NAT for any store
>> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0
>> 255.255.0.0 # don't need this
>
>> access-list 60 permit ip 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
>> access-list 60 permit ip 172.16.0.0 255.255.0.0 172.20.0.0
>> 255.255.0.0 # don't need this
>> access-list 60 permit ip 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0
>> nat 0 access-list 60
>
You only need to do the remote, local acl entries for nat 0

Jeez!! I was right the first time. It is actually local net then remote
net for the nat 0 acl

Thanks for trying to help. I made you changes, but all I get now is the no
translation group found errors when a client on the vpn trys to ping a
server on the dmz.

Eddie


Bill F <> wrote in
news::

>
>>
>> :No NAT for inside host to access the DMZ
>> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.16.0.0
>> 255.255.0.0 access-list 60 permit ip 172.16.0.0 255.255.0.0
>> 172.30.0.0 255.255.0.0
>>
>
> this is accomplished as follows
>
> static (inside,dmz) 172.16.0.0 172.16.0.0 255.255.0.0
>
>> :No NAT for any store
>> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0
>> 255.255.0.0 access-list 60 permit ip 172.20.0.0 255.255.0.0
>> 172.30.0.0 255.255.0.0 # don't need this access-list 60 permit ip
>> 172.16.0.0 255.255.0.0 172.20.0.0 255.255.0.0 access-list 60 permit
>> ip 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0 # don't need this
>> nat 0 access-list 60
>
> You only need to do the remote, local acl entries for nat 0
>
>>
>>
>> ::Needed so the clients on the VPN can talk to the servers on the DMZ
>> static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0
>>
> Nope. In this case, something LIKE acl 71 takes care of that - I say
> like because you have the syntax reverse. It should be of the type:
>
> access-list 71 permit tcp 172.30.0.0 255.255.0.0 172.20.0.0
> 255.255.0.0 eq 80
>
> in other words, local net traffic to remote net will be tunneled
> And the other side would have the mirror image. Same thing goes for
> any other vpn peer nets.
>
>>
>> :############################################
>> :Limited Access from Stores
>> access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0
>> 255.255.0.0 eq 80 access-list 71 permit tcp 172.20.0.0 255.255.0.0
>> 172.30.0.0 255.255.0.0 eq 8080
>> :access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0
>> :255.255.0.0 eq 22
>> access-list 71 permit udp 172.20.0.0 255.255.0.0 172.30.0.0
>> 255.255.0.0 eq 53 access-list 71 permit icmp 172.20.0.0 255.255.0.0
>> 172.30.0.0 255.255.0.0 access-list 71 permit icmp 172.20.0.0
>> 255.255.0.0 172.16.0.0 255.255.0.0 echo-reply
>>
>> access-list 71 deny ip any any
>> access-group 71 in interface outside
>> :#############################################
>>
>>
>> :################################################# ######
>> :Limit Access from the office to the stores to select systems.
>>
>> access-list 100 permit ip 172.16.1.0 255.255.255.0 172.20.0.0
>> 255.255.0.0 access-list 100 deny ip any 172.20.0.0 255.255.0.0
>>
>> :Stuff to limit office access to web here
>> access-list 100 permit ip any any
>>
>> access-group 100 in interface inside
>> :################################################# #######
>>
>>
>> :################################################# ####
>> :ACL for DMZ systems
>> :We will also need to give the DMZ limited internet access.
>>
>> :We do like to ping
>> access-list 70 permit icmp any any echo-reply
>>
>> :Ban acess to inside networks.
>> access-list 70 deny ip any 172.16.0.0 255.255.0.0
>> :May also need to ban access to stores.
>>
>> :Internet Access to the DMZ
>> access-list 70 permit ip any any
>>
>> eny everything else
>> :access-list 70 deny ip any any
>>
>> :Lets try it
>> access-group 70 in interface dmz
>> :################################################# #
>>
>>
>> nat (inside) 1 0 0
>> nat (dmz) 1 0 0
>>
>> global (outside) 1 interface
>> route outside 0.0.0.0 0.0.0.0 12.145.146.145
>>
>> no rip outside passive
>> no rip outside default
>> no rip inside passive
>> no rip inside default
>> no rip dmz passive
>> no rip dmz default
>>
>>
>> timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
>> timeout rpc 0:10:00 h323 0:05:00
>> timeout uauth 0:05:00 absolute
>>
>> aaa-server TACACS+ protocol tacacs+
>> aaa-server RADIUS protocol radius
>> crypto ipsec transform-set strong esp-aes-256
>>
>>
>> :Store201
>> access-list 201_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.201.0
>> 255.255.255.0 access-list 201_ipsec permit ip 172.16.0.0 255.255.0.0
>> 172.20.201.0 255.255.255.0 crypto map ToStore 10 ipsec-isakmp
>> crypto map ToStore 10 match address 201_ipsec
>> crypto map ToStore 10 set peer 11.146.146.152
>> crypto map ToStore 10 set transform-set strong
>> crypto map ToStore interface outside
>>
>> :Store212
>> access-list 212_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.212.0
>> 255.255.255.0 access-list 212_ipsec permit ip 172.16.0.0 255.255.0.0
>> 172.20.212.0 255.255.255.0 crypto map ToStore 12 ipsec-isakmp
>> crypto map ToStore 12 match address 212_ipsec
>> crypto map ToStore 12 set peer 11.146.146.153
>> crypto map ToStore 12 set transform-set strong
>> crypto map ToStore interface outside
>>
>> isakmp enable outside
>> isakmp key cisco1234 address 11.146.146.152 netmask 255.255.255.255
>> isakmp key cisco1234 address 11.146.146.153 netmask 255.255.255.255
>> isakmp policy 8 authentication pre-share
>> isakmp policy 8 encryption aes-256
>> isakmp policy 8 lifetime 120
>> isakmp policy 8 hash md5
>>
>> http 172.16.0.0 255.255.0.0
>> http server enable
>>
>> logg c 7
>> logg on
>>
>>
>> no logging on
>>
>> interface ethernet0 auto
>> interface ethernet1 auto
>> interface ethernet2 auto
>>
>>
>> mtu outside 1500
>> mtu inside 1500
>> mtu dmz 1500
>>
>> ip address outside 11.146.146.151 255.255.255.240
>> ip address inside 172.16.1.5 255.255.0.0
>> ip address dmz 172.30.1.1 255.255.0.0
>>
>>
>> arp timeout 14400
>>
>> :No NAT for inside host to access the DMZ
>> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.16.0.0
>> 255.255.0.0 access-list 60 permit ip 172.16.0.0 255.255.0.0
>> 172.30.0.0 255.255.0.0
>>
>> :No NAT for any store
>> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0
>> 255.255.0.0 access-list 60 permit ip 172.20.0.0 255.255.0.0
>> 172.30.0.0 255.255.0.0 access-list 60 permit ip 172.16.0.0
>> 255.255.0.0 172.20.0.0 255.255.0.0 access-list 60 permit ip
>> 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0 nat 0 access-list 60
>>
>>
>> ::Needed so the clients on the VPN can talk to the servers on the DMZ
>> static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0
>>
>>
>> :############################################
>> :Limited Access from Stores. We only want the stores accessing select
>> things on the DMZ
>> access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0
>> 255.255.0.0 eq 80 access-list 71 permit tcp 172.20.0.0 255.255.0.0
>> 172.30.0.0 255.255.0.0 eq 8080
>> :access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0
>> :255.255.0.0 eq 22
>> access-list 71 permit udp 172.20.0.0 255.255.0.0 172.30.0.0
>> 255.255.0.0 eq 53 access-list 71 permit icmp 172.20.0.0 255.255.0.0
>> 172.30.0.0 255.255.0.0 access-list 71 permit icmp 172.20.0.0
>> 255.255.0.0 172.16.0.0 255.255.0.0 echo-reply
>>
>> access-list 71 deny ip any any
>> access-group 71 in interface outside
>> :#############################################
>>
>>
>> :################################################# ######
>> Limit Access from the office to the stores to select systems on the
>> inside interface.
>>
>> access-list 100 permit ip 172.16.1.0 255.255.255.0 172.20.0.0
>> 255.255.0.0 access-list 100 deny ip any 172.20.0.0 255.255.0.0
>>
>> :Stuff to limit office access to web here
>> access-list 100 permit ip any any
>>
>> access-group 100 in interface inside
>> :################################################# #######
>>
>>
>> :################################################# ####
>> :ACL for DMZ systems
>> :We will also need to give the DMZ limited internet access.
>>
>> :We do like to ping
>> access-list 70 permit icmp any any echo-reply
>>
>> :Ban acess to inside networks.
>> access-list 70 deny ip any 172.16.0.0 255.255.0.0
>> :May also need to ban access to stores.
>>
>> :Internet Access to the DMZ. Temp
>> access-list 70 permit ip any any
>>
>> eny everything else
>> :access-list 70 deny ip any any
>>
>> :Lets try it
>> access-group 70 in interface dmz
>> :################################################# #
>>
>> :NAT the inside
>> nat (inside) 1 0 0
>>
>> :NAT the dmz
>> nat (dmz) 1 0 0
>>
>> AT the bunny
>> global (outside) 1 interface
>> route outside 0.0.0.0 0.0.0.0 11.146.146.145
>>
>> :We don't use RIP so turn it off.
>> no rip outside passive
>> no rip outside default
>> no rip inside passive
>> no rip inside default
>> no rip dmz passive
>> no rip dmz default
>>
>>
>> timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
>> timeout rpc 0:10:00 h323 0:05:00
>> timeout uauth 0:05:00 absolute
>>
>> aaa-server TACACS+ protocol tacacs+
>> aaa-server RADIUS protocol radius
>> crypto ipsec transform-set strong esp-aes-256
>>
>>
>> :Store201
>> access-list 201_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.201.0
>> 255.255.255.0 access-list 201_ipsec permit ip 172.16.0.0 255.255.0.0
>> 172.20.201.0 255.255.255.0 crypto map ToStore 10 ipsec-isakmp
>> crypto map ToStore 10 match address 201_ipsec
>> crypto map ToStore 10 set peer 11.146.146.152
>> crypto map ToStore 10 set transform-set strong
>> crypto map ToStore interface outside
>>
>> :Store212
>> access-list 212_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.212.0
>> 255.255.255.0 access-list 212_ipsec permit ip 172.16.0.0 255.255.0.0
>> 172.20.212.0 255.255.255.0 crypto map ToStore 12 ipsec-isakmp
>> crypto map ToStore 12 match address 212_ipsec
>> crypto map ToStore 12 set peer 11.146.146.153
>> crypto map ToStore 12 set transform-set strong
>> crypto map ToStore interface outside
>>
>> :General IPSEC stuff for all stores
>> isakmp enable outside
>> isakmp key cisco1234 address 11.146.146.152 netmask 255.255.255.255
>> isakmp key cisco1234 address 11.146.146.153 netmask 255.255.255.255
>> isakmp policy 8 authentication pre-share
>> isakmp policy 8 encryption aes-256
>> isakmp policy 8 lifetime 120
>> isakmp policy 8 hash md5
>>
>>
>> http 172.16.0.0 255.255.0.0
>> http server enable
>>
>> logg c 7
>> logg on
>
>

Let's cut through the possible confusion I caused with the back and
forth. Using the acl 60 example it should be as follows.

nat 0 access-list 60

access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list 60 permit ip 172.16.0.0 255.255.0.0 172.20.0.0 255.255.0.0

is that what you tried?

> arp timeout 14400
>
> :No NAT for inside host to access the DMZ
> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.16.0.0 255.255.0.0
> access-list 60 permit ip 172.16.0.0 255.255.0.0 172.30.0.0 255.255.0.0

ok i think i already addressed the above issue. Remove these two lines.
the way you accomplish this is:

static (inside,dmz) 172.16.0.0 172.16.0.0 255.255.0.0


>
> :No NAT for any store
> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0 255.255.0.0
> :access-list 60 permit ip 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 # remove
> access-list 60 permit ip 172.16.0.0 255.255.0.0 172.20.0.0 255.255.0.0
> :access-list 60 permit ip 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0 # remove
>
>
>
> nat 0 access-list 60
>
>
> ::Needed so the clients on the VPN can talk to the servers on the DMZ
> static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0

This allows dmz hosts to send traffic to the outside untranslated which
doesn't make sense. Remember vpn users are logically on the inside net.

>
>
> :############################################
> :Limited Access from Stores
> access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 80
> access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 8080
> :access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 22
> access-list 71 permit udp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 53
> access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
> access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0 echo-reply
>
> access-list 71 deny ip any any
> access-group 71 in interface outside
> :#############################################

Again, vpn hosts are logically on the inside. You don't use
access-group commands to filter vpn traffic. The only acls you need for
vpn access are the nonat acl and it's essential for the crypto map match
address acls.You control vpn peer network access purely through these
acls. And it's essential that the peer acls exactly mirror the local pix
acl per crypto map entry/peer. Placing an acl on the outside interface
only filters traffic to the outside subnet addresses.

On Sun, 20 Jun 2004 03:35:10 -0700, Bill F wrote:


>> arp timeout 14400
>>
>> :No NAT for inside host to access the DMZ
>> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.16.0.0 255.255.0.0
>> access-list 60 permit ip 172.16.0.0 255.255.0.0 172.30.0.0 255.255.0.0
>
> ok i think i already addressed the above issue. Remove these two lines.
> the way you accomplish this is:
>
> static (inside,dmz) 172.16.0.0 172.16.0.0 255.255.0.0
>

Tried that. It didn't work. The inside network could not access the DMZ.


>
>> :No NAT for any store
>> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0 255.255.0.0
>> :access-list 60 permit ip 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
>> :# remove
>> access-list 60 permit ip 172.16.0.0 255.255.0.0 172.20.0.0 255.255.0.0
>> :access-list 60 permit ip 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0
>> :# remove
>>
>>
>>
>> nat 0 access-list 60
>>
>>
>> ::Needed so the clients on the VPN can talk to the servers on the DMZ
>> static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0
>
> This allows dmz hosts to send traffic to the outside untranslated which
> doesn't make sense. Remember vpn users are logically on the inside net.
>

You sure? From everything I have read and my thinking behind this config,
is tha the VPN connections land on the outside interface, unless I have
"sysopt connection permit-ipsec" and then the vpn users are on the inside
network, but with that line, I can't apply ACLs to the VPN users.


>
>> :############################################ Limited Access from
>> :Stores
>> access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
>> eq 80 access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0
>> 255.255.0.0 eq 8080
>> :access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0
>> :255.255.0.0 eq 22
>> access-list 71 permit udp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
>> eq 53 access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.30.0.0
>> 255.255.0.0 access-list 71 permit icmp 172.20.0.0 255.255.0.0
>> 172.16.0.0 255.255.0.0 echo-reply
>>
>> access-list 71 deny ip any any
>> access-group 71 in interface outside
>> :#############################################
>
> Again, vpn hosts are logically on the inside. You don't use
> access-group commands to filter vpn traffic. The only acls you need for
> vpn access are the nonat acl and it's essential for the crypto map match
> address acls.You control vpn peer network access purely through these
> acls. And it's essential that the peer acls exactly mirror the local pix
> acl per crypto map entry/peer. Placing an acl on the outside interface
> only filters traffic to the outside subnet addresses.


You may be right about the ACL on the VPN and the cyrpto map. I think I
had problems applying an ACL as a crypto map with a port number. However,
I have been working on this for a month now and I don't recall what the
problem is. But everything seems to work and all the ACLs do what they
should. This main problem is this line.


::Needed so the clients on the VPN can talk to the servers on the DMZ
static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0


Because the VPN connections come from the outside interface, thay are
from a lower security level then the DMZ. It's my understanding you need
a static route to allow packets to flow from a lower level to a higher
one. This line does work and the VPN users can access servers on the DMZ
without a problem. However, it stops the servers in the DMZ from
accessing the internet by turning off NAT.

So with that line, VPN users can access DMZ.
Without it, DMZ can access internet.

Problem is, I need both to happen at the same time.


Thanks
Eddie

>
> You sure? From everything I have read and my thinking behind this config,
> is tha the VPN connections land on the outside interface, unless I have
> "sysopt connection permit-ipsec"

Argh! That's crucial. I didn't know you were missing this?

and then the vpn users are on the inside
> network, but with that line, I can't apply ACLs to the VPN users.
>

I'm not familiar with this approach. The conventional use of acls is a)
to control global traffic from hitting inside or dmz hosts OR for use
the crypto map match address acl to control access for vpn users. I've
never heard of an instance when acls were placed on interfaces to
control vpn access. Please forward the documentation links you're
referring to.

On Sun, 20 Jun 2004 11:57:07 -0700, Bill F wrote:



>
>> You sure? From everything I have read and my thinking behind this
>> config, is tha the VPN connections land on the outside interface,
>> unless I have "sysopt connection permit-ipsec"
>
> Argh! That's crucial. I didn't know you were missing this?
>
> and then the vpn users are on the inside
>> network, but with that line, I can't apply ACLs to the VPN users.
>>
>>
> I'm not familiar with this approach. The conventional use of acls is a)
> to control global traffic from hitting inside or dmz hosts OR for use
> the crypto map match address acl to control access for vpn users. I've
> never heard of an instance when acls were placed on interfaces to
> control vpn access. Please forward the documentation links you're
> referring to.


I would have to look at my huge list of bookmarks for the info. But some
of it came from post I found on this group. One of witch was not to put
ACL with ports on the crypto map as it would put extra load on the pix.

I don't want to limit access to the VPN users by using the crypto map. I
will need to pull data from the vpn users.

The way I want is this.

1) VPN users can only access servers in the DMZ. Only on select ports if I
can, but I can firewall the servers if I need to.

2) The DMZ has full access to any of the VPN users. No restriction on ports.

3) Select systems on the internal interface have full access to the VPN
users. As much as I would like too, I can't have all systems in the DMZ.

4) DMZ has full access to the internet.


Everything works, but I can't seem to have option 1,2 and 4 at the same
time.

If I set the DMZ to the same security level as the outside interface,
will I need the static line?

Thank you
Eddie