05-26-2007 03:16 AM
Hi NetPro
Trying to setup a Site to Site VPN to allow remote site access to the DMZ, checked cisco.com Site could not find any Sample configuration using the "command line" any pointer on the Site or Sample configs will be appreciated.
Regards
Hash
05-31-2007 11:09 AM
First configure NAT. After this the access-list x has to allow traffic comming from the dmz network to the remote site. example:
dmz net: 10.20.30.0
remote net: 10.20.40.0
Our acls must be
access-list nonat_dmz permit ip 10.20.30.0 255.255.255.0 10.20.40.0 255.255.255.0
nat (dmz) 0 access-list nonat_dmz
Then the sysopt connection permit-ipsec, is to allow traffic comming from outside to our inside networks.
sysopt connection permit-ipsec:
Implicitly permit any packet that came from an IPSec tunnel and bypass the checking of an associated access-list, conduit, or access-group command statement for IPSec connections.
05-31-2007 11:34 AM
Along with nat exemption, you must also add the interesting traffic to your crypto acl on both devices.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide