query regarding vpn site to site and dmz access

Unanswered Question
Feb 15th, 2007

Hello, we need to access our extranet DMZ remotely via VPN and are having some problems getting this to work.

The endpoints of the vpn are two pixes - one of which has the extranet dmz residing on it (see attached diagram)

The vpn is setup fine and can pass traffic site-to-site ok. The problem is when we try from the remote end to reach a network off the dmz - we get traffic encrypted but none coming back

I presume this can be done but is there any special config to do this - same security etc..

Any help would be much appreciated


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Thu, 02/15/2007 - 05:56

In your london pix, you need to have the dmz part of your interesting traffic acl as well as a nat (DMZ) 0 acl, just like you did for you inside networks.

access-list DMZ_nat0_outbound permit ip

nat (DMZ) 0 access-list DMZ_nat0_outbound

monkeyboy Thu, 02/15/2007 - 07:07

one more thing to muddy the waters a little

the end server does not reside on the dmz - rather the router that allows access to it is (as I say it's a partner network)

we policy pat connections on the london firewall going out to the destination..

would this have an impact with the nat 0 needed for ipsec?

many thanks


This Discussion