query regarding vpn site to site and dmz access

monkeyboy · ‎02-15-2007

Hello, we need to access our extranet DMZ remotely via VPN and are having some problems getting this to work.

The endpoints of the vpn are two pixes - one of which has the extranet dmz residing on it (see attached diagram)

The vpn is setup fine and can pass traffic site-to-site ok. The problem is when we try from the remote end to reach a network off the dmz - we get traffic encrypted but none coming back

I presume this can be done but is there any special config to do this - same security etc..

Any help would be much appreciated

cheers

acomiskey · ‎02-15-2007

In your london pix, you need to have the dmz part of your interesting traffic acl as well as a nat (DMZ) 0 acl, just like you did for you inside networks.

access-list DMZ_nat0_outbound permit ip

nat (DMZ) 0 access-list DMZ_nat0_outbound

monkeyboy · ‎02-15-2007

one more thing to muddy the waters a little

the end server does not reside on the dmz - rather the router that allows access to it is (as I say it's a partner network)

we policy pat connections on the london firewall going out to the destination..

would this have an impact with the nat 0 needed for ipsec?

many thanks