Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
511
Views
5
Helpful
4
Replies

Access to DMZ Interface thru VPN - Simple Question

tpopejr
Level 1
Level 1

‎08-27-2006 05:20 AM - edited ‎02-21-2020 02:35 PM

I need to provide access from the VPN connections directly to the DMZ.

Our VPN subnet is 10.9.50.x and our DMZ subnet is 192.168.211.x.

My questions are:

What command 'set' do I use...NAT and Global or Static and Access-list?

What interface do I use for the VPN in the commands?

What would the commands look like?

Thanks,

Tom

Labels:
0 Helpful
4 Replies 4

jmia
Level 7
Level 7

‎08-27-2006 05:51 AM

Tom

Are you trying to allow VPN client access to your DMZ interface? Or are you trying to allow access to resources on your DMZ interface for your L2L VPN tunnel?

Also you don't mention which version of the PIX OS you are running is it 6.3(5) or version 7+?

Well I'm guessing that you are trying to setup access to your DMZ interface for L2L VPN tunnel and your running PIX OS 7.0+ if so then take a look here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806a5cea.shtml

Let me know if I am pointing you in the right direction or not, or you need further help on this.

Please rate post if it helps you.

Jay

0 Helpful

tpopejr
Level 1
Level 1
In response to jmia

‎08-27-2006 06:11 AM

Sorry for not being more specific.

I want VPN clients to access the DMZ directly (not resources on it).

We're running 6.3(4) on a 515e UR.

Will it require modifying the crypto_dyn maps?

Although I sincerely appreciate the help, if you all could simply show what general commands would need be entered, it would be fantasic. Having to dig thru links is time consuming and, in my experience, a hit or miss prospect.

Thank you very much in advance.

Tom

0 Helpful

jmia
Level 7
Level 7
In response to tpopejr

‎08-27-2006 06:47 AM

OK Tom, I hear you?

As an example if your configuration is currently:

ip address inside 10.1.1.1 255.255.255.0

ip address dmz 172.16.1.1 255.255.255.0

ip local pool vpn_pool 192.168.1.1-192.168.1.254

access-list nonat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

So, to allow your VPN client access to your DMZ interface you'll need to create a crypto access-list for your DMZ access and also a NAT 0 statement for your DMZ i.e.

access-list nonat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (dmz) 0 access-list nonat

Hope this helps and please rate post.

Jay

tpopejr
Level 1
Level 1
In response to jmia

‎08-27-2006 06:53 AM

Perfect!!!

Thanks Jay!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents