Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
997
Views
0
Helpful
4
Replies

Unity Client to Pix inside and dmz networks

Go to solution
aemr
Level 1
Level 1

‎11-01-2002 12:30 PM - edited ‎02-20-2020 10:21 PM

Are there any problems that would prohibit a Unity Client to start connections to hosts on the pix inside and pix dmz networks at the same time?

Can you provide a link that describes the PIX side of the configuration for access to both networks not just the inside network?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to aemr

‎11-03-2002 04:12 PM

Whoops, yep sorry, brain fade on my part, disregard my first email. Your configuration would look like this:

ip address inside 10.1.1.1 255.255.255.0

ip address dmz 172.16.1.1 255.255.255.0

ip local pool vpnpool 192.168.1.1-192.168.1.254

nat (inside) 0 access-list nonatinside

nat (dmz) 0 access-list nonatdmz

access-list nonatinside permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonatdmz permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Hope that helps.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎11-02-2002 05:59 PM

There isn't any problems with this, you just have to make sure you bypass NAT for traffic from both interfaces going to your VPN pool of addresses. The PIX will take care of the routing, etc.

For example, your config would look like this:

ip address inside 10.1.1.1 255.255.255.0

ip address dmz 172.16.1.1 255.255.255.0

ip local pool vpnpool 192.168.1.1-192.168.1.254

nat (inside) 0 access-list nonat

access-list nonat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Hope that helps.

0 Helpful

Go to solution
aemr
Level 1
Level 1
In response to gfullage

‎11-03-2002 11:13 AM

Very Helpful, Thank you!

Would I also need a nat (dmz) 0 access-list nonat statement for the DMZ hosts to bypass nat?

0 Helpful

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to aemr

‎11-03-2002 04:12 PM

Whoops, yep sorry, brain fade on my part, disregard my first email. Your configuration would look like this:

ip address inside 10.1.1.1 255.255.255.0

ip address dmz 172.16.1.1 255.255.255.0

ip local pool vpnpool 192.168.1.1-192.168.1.254

nat (inside) 0 access-list nonatinside

nat (dmz) 0 access-list nonatdmz

access-list nonatinside permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonatdmz permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Hope that helps.

0 Helpful

Go to solution
aemr
Level 1
Level 1
In response to gfullage

‎11-04-2002 12:36 PM

That helps very much.... Thank you!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card