02-15-2007 05:19 AM - edited 03-11-2019 02:33 AM
Hello, we need to access our extranet DMZ remotely via VPN and are having some problems getting this to work.
The endpoints of the vpn are two pixes - one of which has the extranet dmz residing on it (see attached diagram)
The vpn is setup fine and can pass traffic site-to-site ok. The problem is when we try from the remote end to reach a network off the dmz - we get traffic encrypted but none coming back
I presume this can be done but is there any special config to do this - same security etc..
Any help would be much appreciated
cheers
02-15-2007 05:56 AM
In your london pix, you need to have the dmz part of your interesting traffic acl as well as a nat (DMZ) 0 acl, just like you did for you inside networks.
access-list DMZ_nat0_outbound permit ip
nat (DMZ) 0 access-list DMZ_nat0_outbound
02-15-2007 07:07 AM
one more thing to muddy the waters a little
the end server does not reside on the dmz - rather the router that allows access to it is (as I say it's a partner network)
we policy pat connections on the london firewall going out to the destination..
would this have an impact with the nat 0 needed for ipsec?
many thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: