lan-2-lan vpn via inside interface

Unanswered Question
Feb 11th, 2007


Is it possible to have a lan-2-lan VPN via the inside interface - PIX 525 running 6.3.5

Reason is we have 2 primary sites and need to have some traffic between the DMZ's. If possible it would allow traffic between the DMZ's via our internal network.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kaachary Wed, 02/14/2007 - 10:01


Sure you can have VPN via inside interface. The configuration would be very similar to the "outside" vpn . Few changes in crypto would be like :

isakmp enable inside

cry map interface inside

and few changes in nat statements :

nat (dmz) 0 access-list X



peter2904 Thu, 02/15/2007 - 18:38

Hi Kanishka

Thanks for the info. Think I may have the NAT wrong as the VPN did not try to establish. But then does 'NAT 0' work from a DMZ to inside interface? Thought NAT 0 was only for traffic going the other way?

kaachary Fri, 02/16/2007 - 05:28


Nat 0 works bidirectionally. So, if you have

nat (dmz) 0 access-list X

It would work for traffic going to inside as well as for traffic going to outside interface. So, the VPN traffic entering the FW from DMZ and going to inside n/w needs to have a Nat (dmz) 0 or a static .




This Discussion