PIX 515E - DMZ access over VPN

Unanswered Question
Sep 11th, 2003
User Badges:

Hi all,

I'm new to PIX firewall setup,

We have VPN (PIX to PIX), Which connects two Geographical Location SiteA & SiteB.

I have connection access for SiteA(Inside network) to SiteB(Inside network), It works fine,

However I wish to estabilish a secure connection between SiteA (DMZ) to SiteB (DMZ).

Help me in this to configure in PIX.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
l.mourits Thu, 09/11/2003 - 14:17
User Badges:
  • Silver, 250 points or more


Basicly, the setup will be the same as your allready existing VPN connection. One thing (most likely) could be different, and that is that most PIX configurations contain static commands for servers connected on the dmz (look at you config for static (dmz, outside) to see if this is the case)

If statics are setup then you would have to configure the following to get your VPN to work.

On your PIX at siteA:

nat (dmz) 0 access-list nonat_for_VPN

access-list nonat_for_VPN permit ip

access-list nonat_for_VPN deny ip any any

On your PIX at siteB:

nat (dmz) 0 access-list nonat_for_VPN

access-list nonat_for_VPN permit ip

access-list nonat_for_VPN deny ip any any

This will prevent traffic that comes in on interface DMZ from being translated. The PIX does translation first and then encryption, so, if a static is in place and not this nat 0 the PIX will translate the packet first, and after that translation this packet most likely does not match with your access-list which defines your trafic that should be encrypted.

This is, in my experience, the most important thing to keep in mind. Of course you also need to configure your access-list which is bound to the crypto map to encrypt the traffic, but I´ll guess you allready knew that ;-)

Hope this helps. Let us know how things went.

Kind regards,


mraficcisco Sat, 09/13/2003 - 22:52
User Badges:


Thanks..I will test , Before doing that..

SiteA Inside network users needs access to SiteB DMZ servers, (Already it has access thru Public IP but our users needs to have access thru Local IP)

Simply to say.. Connection between SiteA inside network to SiteB DMZ Server(Webserver HTTP access only )

Please let me know the command lines to add in the PIX to make it work.


l.mourits Sun, 09/14/2003 - 07:46
User Badges:
  • Silver, 250 points or more

You would have to add the networks involved as a permit rule on your access-list that defines the packets which has to be encrypted (in other words, the access-list that is bound to the crypto map)

This makies the IP connection.

If you need to narrow it down to only http I would recommend to put an access-list to your dz which denies all other traffic, because of the implicit rule that all traffic from hogh to low level security interface is permitted by default.

Kind Regards,



This Discussion