Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

query regarding vpn site to site and dmz access

Hello, we need to access our extranet DMZ remotely via VPN and are having some problems getting this to work.

The endpoints of the vpn are two pixes - one of which has the extranet dmz residing on it (see attached diagram)

The vpn is setup fine and can pass traffic site-to-site ok. The problem is when we try from the remote end to reach a network off the dmz - we get traffic encrypted but none coming back

I presume this can be done but is there any special config to do this - same security etc..

Any help would be much appreciated



Re: query regarding vpn site to site and dmz access

In your london pix, you need to have the dmz part of your interesting traffic acl as well as a nat (DMZ) 0 acl, just like you did for you inside networks.

access-list DMZ_nat0_outbound permit ip

nat (DMZ) 0 access-list DMZ_nat0_outbound

New Member

Re: query regarding vpn site to site and dmz access

one more thing to muddy the waters a little

the end server does not reside on the dmz - rather the router that allows access to it is (as I say it's a partner network)

we policy pat connections on the london firewall going out to the destination..

would this have an impact with the nat 0 needed for ipsec?

many thanks

CreatePlease to create content