Moving Site-Site vpn to DMZ

Answered Question
Jun 8th, 2007
User Badges:


I recently setup a site-site vpn between a pix 515 running 6.3(5) and a juniper netscreen. The tunnel was configured to only allow communication between a two hosts, one on each end of the tunnel. Then the client wanted to move the host behind the pix to their dmz. We made the appropriate changes to the nat0 and match address list acls, but now it stopped working.

When I do a sh crypto ipsec sa, I get decaps and decrypt packets, but no encaps and encrypt packets. A sh isakmp sa shows an active tunnel between the two endpoints.

I'm not sure where to look from here. Haven't found anything on google.

Here's the current output from sh crypto ipsec sa:

local ident (addr/mask/prot/port): (

remote ident (addr/mask/prot/port): (

current_peer: a.b.c.d:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 38, #pkts decrypt: 5741, #pkts verify 5741

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 5703

local crypto endpt.: z.y.x.w, remote crypto endpt.: a.b.c.d

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:



Correct Answer by acomiskey about 10 years 1 month ago

You did nat exemption like this right?

nat (dmz) 0 access-list ...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Correct Answer
acomiskey Fri, 06/08/2007 - 07:29
User Badges:
  • Green, 3000 points or more

You did nat exemption like this right?

nat (dmz) 0 access-list ...

jcw009 Fri, 06/08/2007 - 07:32
User Badges:

No, I did not. Right now the nat statements are:

SMIC-PIX# sh ru | g nat

nat (inside) 0 access-list NoNatToDmz

nat (inside) 1 0 0

nat (inside) 1 0 0

nat (smicdmz) 1 0 0


Can I have two nat 0 statements?

acomiskey Fri, 06/08/2007 - 07:37
User Badges:
  • Green, 3000 points or more

The traffic which is to be exempt from nat is coming from the dmz right, not the inside?

So the nat (inside) 0 statement wouldn't do anything for your dmz vpn traffic. Yes you can have 2 nat 0 statements.

nat (smicdmz) 0 access-list dmz_to_vpn

jcw009 Fri, 06/08/2007 - 07:54
User Badges:

Yup. That was it. Thanks for your help!


This Discussion