Unity Client to Pix inside and dmz networks

Answered Question
Nov 1st, 2002
User Badges:

Are there any problems that would prohibit a Unity Client to start connections to hosts on the pix inside and pix dmz networks at the same time?

Can you provide a link that describes the PIX side of the configuration for access to both networks not just the inside network?

Correct Answer by gfullage about 14 years 9 months ago

Whoops, yep sorry, brain fade on my part, disregard my first email. Your configuration would look like this:


ip address inside 10.1.1.1 255.255.255.0

ip address dmz 172.16.1.1 255.255.255.0

ip local pool vpnpool 192.168.1.1-192.168.1.254


nat (inside) 0 access-list nonatinside

nat (dmz) 0 access-list nonatdmz

access-list nonatinside permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonatdmz permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
gfullage Sat, 11/02/2002 - 17:59
User Badges:
  • Cisco Employee,

There isn't any problems with this, you just have to make sure you bypass NAT for traffic from both interfaces going to your VPN pool of addresses. The PIX will take care of the routing, etc.


For example, your config would look like this:


ip address inside 10.1.1.1 255.255.255.0

ip address dmz 172.16.1.1 255.255.255.0

ip local pool vpnpool 192.168.1.1-192.168.1.254


nat (inside) 0 access-list nonat

access-list nonat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0


Hope that helps.

aemr Sun, 11/03/2002 - 11:13
User Badges:

Very Helpful, Thank you!


Would I also need a nat (dmz) 0 access-list nonat statement for the DMZ hosts to bypass nat?



Correct Answer
gfullage Sun, 11/03/2002 - 16:12
User Badges:
  • Cisco Employee,

Whoops, yep sorry, brain fade on my part, disregard my first email. Your configuration would look like this:


ip address inside 10.1.1.1 255.255.255.0

ip address dmz 172.16.1.1 255.255.255.0

ip local pool vpnpool 192.168.1.1-192.168.1.254


nat (inside) 0 access-list nonatinside

nat (dmz) 0 access-list nonatdmz

access-list nonatinside permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonatdmz permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0


Hope that helps.

aemr Mon, 11/04/2002 - 12:36
User Badges:

That helps very much.... Thank you!

Actions

This Discussion