Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Access to DMZ Interface thru VPN - Simple Question

I need to provide access from the VPN connections directly to the DMZ.

Our VPN subnet is 10.9.50.x and our DMZ subnet is 192.168.211.x.

My questions are:

What command 'set' do I use...NAT and Global or Static and Access-list?

What interface do I use for the VPN in the commands?

What would the commands look like?

Thanks,

Tom

4 REPLIES
Gold

Re: Access to DMZ Interface thru VPN - Simple Question

Tom

Are you trying to allow VPN client access to your DMZ interface? Or are you trying to allow access to resources on your DMZ interface for your L2L VPN tunnel?

Also you don't mention which version of the PIX OS you are running is it 6.3(5) or version 7+?

Well I'm guessing that you are trying to setup access to your DMZ interface for L2L VPN tunnel and your running PIX OS 7.0+ if so then take a look here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806a5cea.shtml

Let me know if I am pointing you in the right direction or not, or you need further help on this.

Please rate post if it helps you.

Jay

New Member

Re: Access to DMZ Interface thru VPN - Simple Question

Sorry for not being more specific.

I want VPN clients to access the DMZ directly (not resources on it).

We're running 6.3(4) on a 515e UR.

Will it require modifying the crypto_dyn maps?

Although I sincerely appreciate the help, if you all could simply show what general commands would need be entered, it would be fantasic. Having to dig thru links is time consuming and, in my experience, a hit or miss prospect.

Thank you very much in advance.

Tom

Gold

Re: Access to DMZ Interface thru VPN - Simple Question

OK Tom, I hear you?

As an example if your configuration is currently:

ip address inside 10.1.1.1 255.255.255.0

ip address dmz 172.16.1.1 255.255.255.0

ip local pool vpn_pool 192.168.1.1-192.168.1.254

access-list nonat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

So, to allow your VPN client access to your DMZ interface you'll need to create a crypto access-list for your DMZ access and also a NAT 0 statement for your DMZ i.e.

access-list nonat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (dmz) 0 access-list nonat

Hope this helps and please rate post.

Jay

New Member

Re: Access to DMZ Interface thru VPN - Simple Question

Perfect!!!

Thanks Jay!

195
Views
5
Helpful
4
Replies
CreatePlease to create content