Questions involving DMZ-VPN on 515

Discussion in 'Cisco' started by Mike W., Feb 6, 2006.

  1. Mike W.

    Mike W. Guest

    Good morning all,

    I'm going to try and post this without having to attach an entire config....

    Basically....I am having trouble with split-tunneling, and allowing VPN
    users access to the DMZ.

    The setup is Outside, DMZ, and Corp (inside). Corp is 100, DMZ is 98, and
    outside is 0 (standard...). For users on the inside ( they
    have no problem accessing the web and using DNS servers that are in the DMZ.
    However, when I create a VPN access group, they have access to the inside,
    (They are assigned addresses from the same (.33.0) Inside group.) but no
    name resolution.

    So...split tunneling IS working, but for IP addresses only...there is no
    name resolution for VPN users.

    Here is a piece of the config:

    hostname pixfirewall
    domain-name XXXX
    ftp mode passive
    dns retries 2
    dns timeout 2
    dns domain-lookup dmz
    dns name-server x.x.x.x
    dns name-server x.x.x.x
    same-security-traffic permit intra-interface

    I was not the one to set up this pix and have never added DNS servers to a
    PIX unless using it with the DHCPD commands. Because the VPN users come in
    on the Outside interface, but are then part of the Inside pool, should they
    not have access to the DMZ? They cannot "see" the .28.0 DMZ.

    For Access lists there are many, but regarding this issue and
    split-tunneling is the following:

    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any source-quench
    access-list outside_access_in extended permit icmp any any unreachable
    access-list outside_access_in extended permit icmp any any time-exceeded
    access-list inside_access_in extended permit ip any
    access-list corp_nat0_outbound extended permit ip any
    access-list XXX_splitTunnelAcl standard permit
    access-list corp_inside_access_in extended permit tcp any anyaccess-list
    inside_access_in extended permit ip Private-subnet any

    and the attributes:

    group-policy XXX internal
    group-policy XXX attributes
    dns-server value
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-tunnel-protocol IPSec
    pfs enable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value XXX_splitTunnelAcl
    default-domain value

    Does anything jump out to you guys as being blatantly wrong? Like I said,
    I've never used that "dns domain-lookup DMZ" command before. I would think
    that the VPN users would inherit the "100" security and be able to access
    anything lower, but I guess not.....

    Mike W., Feb 6, 2006
    1. Advertisements

  2. Mike W.


    Apr 17, 2009
    Likes Received:
    Have you found a solution?

    We are having the exact same problem on our network. Please let me know if you have a solution to this.


    Keith W.
    lionsfan25, Apr 17, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.