Questions involving DMZ-VPN on 515

Discussion in 'Cisco' started by Mike W., Feb 6, 2006.

  1. Mike W.

    Mike W. Guest

    Good morning all,

    I'm going to try and post this without having to attach an entire config....

    Basically....I am having trouble with split-tunneling, and allowing VPN
    users access to the DMZ.

    The setup is Outside, DMZ, and Corp (inside). Corp is 100, DMZ is 98, and
    outside is 0 (standard...). For users on the inside (192.168.33.0) they
    have no problem accessing the web and using DNS servers that are in the DMZ.
    However, when I create a VPN access group, they have access to the inside,
    (They are assigned addresses from the same (.33.0) Inside group.) but no
    name resolution.

    So...split tunneling IS working, but for IP addresses only...there is no
    name resolution for VPN users.

    Here is a piece of the config:

    hostname pixfirewall
    domain-name XXXX
    ftp mode passive
    dns retries 2
    dns timeout 2
    dns domain-lookup dmz
    dns name-server x.x.x.x
    dns name-server x.x.x.x
    same-security-traffic permit intra-interface

    I was not the one to set up this pix and have never added DNS servers to a
    PIX unless using it with the DHCPD commands. Because the VPN users come in
    on the Outside interface, but are then part of the Inside pool, should they
    not have access to the DMZ? They cannot "see" the .28.0 DMZ.


    For Access lists there are many, but regarding this issue and
    split-tunneling is the following:

    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any source-quench
    access-list outside_access_in extended permit icmp any any unreachable
    access-list outside_access_in extended permit icmp any any time-exceeded
    access-list inside_access_in extended permit ip 192.168.0.0 255.255.0.0 any
    access-list corp_nat0_outbound extended permit ip any 192.168.31.0
    255.255.255.0
    access-list XXX_splitTunnelAcl standard permit 192.168.33.0 255.255.255.0
    access-list corp_inside_access_in extended permit tcp any anyaccess-list
    inside_access_in extended permit ip Private-subnet 255.255.0.0 any


    and the attributes:


    group-policy XXX internal
    group-policy XXX attributes
    dns-server value 192.168.28.1 192.168.28.2
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-tunnel-protocol IPSec
    pfs enable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value XXX_splitTunnelAcl
    default-domain value XXX.com


    Does anything jump out to you guys as being blatantly wrong? Like I said,
    I've never used that "dns domain-lookup DMZ" command before. I would think
    that the VPN users would inherit the "100" security and be able to access
    anything lower, but I guess not.....

    Thanks!
    Mike W., Feb 6, 2006
    #1
    1. Advertising

  2. Mike W.

    lionsfan25

    Joined:
    Apr 17, 2009
    Messages:
    1
    Have you found a solution?

    We are having the exact same problem on our network. Please let me know if you have a solution to this.

    Thanks,

    Keith W.
    lionsfan25, Apr 17, 2009
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Roland
    Replies:
    3
    Views:
    691
    Roland
    Jan 21, 2004
  2. Eddie
    Replies:
    9
    Views:
    1,357
    Eddie
    Jun 20, 2004
  3. JohnC
    Replies:
    9
    Views:
    846
    Walter Roberson
    Dec 7, 2004
  4. Chris Kranz

    LAN-to-LAN involving PIX and VPN

    Chris Kranz, Aug 23, 2005, in forum: Cisco
    Replies:
    3
    Views:
    1,267
    Walter Roberson
    Aug 23, 2005
  5. RJ Jr.
    Replies:
    0
    Views:
    440
    RJ Jr.
    Jan 28, 2005
Loading...

Share This Page