From dmz connected another PIX and iam trying to estabalish VPN

Unanswered Question
Jun 17th, 2008


Internet terminiated in router->ASA,inside and outside interfaces configured its working well, here my objective is froam ASA DMZ interface i would like add another PIX firwall from this PIX i need to estabalish a it possible, pl help, this client requirement, they dont want share the ASA.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Tue, 06/17/2008 - 02:11

Yes AFAIK this is possible. Just need to punch holes in the Router and ASA outside interfaces.



mkkeyan Wed, 06/18/2008 - 02:57

Thanks Farrukh,

For DMZ i asigend a IP address form the same subnet (but different IP)what i assigned for outside, ASA clearly indiacting conflicting with outside interface .Then i dicide to assign a LAN IP for DMZ and mapped with Internet IP , in DMZ i juct connect my pix506e firewall.For mapped IP i just opened a tcp, udp,esp. ipsec ports.

here Router nothing do to with my scenerio.because of my router have only static route to ISP and DNS server name.

pl help, i think you can take it me next stage.



Farrukh Haroon Wed, 06/18/2008 - 03:13

Yes karthik, you cannot have two interfaces of the firewall in the same subnet. The approach you followed is correct. What kind of VPN are you going to terminate on the PIX? If its IPSEC you only need to enable UDP 500 and IP Protocol 50 (ESP). If its a LAN-2-LAN VPN you can even be specific about the source IP address. You don't need to permit TCP,UDP generic ports as those will be encapsulated inside the ESP or UDP (if NAT-T etc. are used).



mkkeyan Thu, 06/19/2008 - 02:00

thanks, now i got confident.

site to site Ipsec vpn from dmz pix (506e)

here my static NAT

static (dmz1,outside) xx.xx.99.220 netmask



access-list from-outside extended permit ip any host xx.xx.99.220 or shall i use nat-control.

is this ok or need to to modify,

then in PIX506e which is in dmz what ip address i should assign outside interface of advise



Farrukh Haroon Thu, 06/19/2008 - 02:08

this will be assigned on the PIX's outside:

The ACL can be made more specific if you wish:

access-list from-outside extended permit esp any host xx.xx.99.220

access-list from-outside extended permit udp any host xx.xx.99.220 eq isakmp

If users are behind NAT, enable nat-traversal and add following line also:

access-list from-outside extended permit udp any host xx.xx.99.220 eq 4500



nomair_83 Thu, 06/19/2008 - 03:05

After enabling nat-t or acl with 4500 u can skip esp acl as well.

I like your scnario:) I'll config it with ma own equipment.


mkkeyan Tue, 06/24/2008 - 04:53


interface Ethernet3

nameif dmz1

security-level 0

no ip address

access-list from-outside extended permit ip any host **.**.99.220

static (dmz1,outside) ***.**.99.220 netmask

access-group from-outside in interface outside

In PIX 506e

for outside interface ip has been assigned.

security level 0


route ouside

from pix 506e unable to reach global internet IP , pl advise



mkkeyan Mon, 06/30/2008 - 03:49

i have changed security-level 60 even though i am unable to reach internet.



kaachary Mon, 06/30/2008 - 09:32

Shouldnt your default route point to next-hop instead of the interface ip address itslef ?

Farrukh Haroon Tue, 07/01/2008 - 00:31

on the DMZ you need to put an IP address. or something.

Also the default gateway should be something like this:

route ouside ***.**.99.ABC

Where ***.**.99.ABC is your ISP Router.

Also you need to check the PIX settings.




This Discussion