Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

can't create VPN from outside to other zones on PIX535 os ver 6.3

Hi all,

recently i have been assigned to manage our network's security and VPN solutions and was faced with a dilema; decuase i haven't had any experience with VPNs, i use cisco PDM's VPN wizard to create VPN tunnels on the PIX535 with ios ver 6.3. the wizard always seems to assume that the connection is from the outside zone (security level 0) to the inside zone (security level 100). i want to create a VPN tunnel from the outside zone to a zone other than inside (security level 20, 30, ...etc) but i can seem to be able to. i tried to even create the tunnel to the inside and from there give the VPN client's IP address access to other zones but that didn't work. can anyone please help me out with this. i'm still surfing the web searching for a sulotion but so far didnn't find anything.

thanx in advance

CHEERS

4 REPLIES
Gold

Re: can't create VPN from outside to other zones on PIX535 os ve

Hi,

I dont use PDM but when using CLI VPN can be terminated on any interface with command

crypto map your_map interface your_interface

check this document:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172795.html#wp997353

Iam not sure but I think PDM hasnt all CLI features

M.

New Member

Re: can't create VPN from outside to other zones on PIX535 os ve

hey M,

thanks for the post and link. but i dont want to create a site-to-site VPN rather a remote access VPN. i'll keep looking for answers but if you have any links that could help, by all means send them my way.

thanks again

New Member

Re: can't create VPN from outside to other zones on PIX535 os ve

Same thing goes for remote access... dont use pdm. the program seem to make a lot of strange configs down to the pix.. At least that is my experience.. I would suggest you use cli and rather uses a paper that tells you what to do.. It is easy..

Making a vpn to inside or any other zone from outside is all the same. You enable the tunnel on the outside interface anyway.. What you need to do is tell in the crypto-acl and nat-0 acl what prefixes you are suppose to reach. the pix will consult its routingtable and send it to the right interface...

You are not telling us if you want to terminate your vpn client in the pix or if you have another termination point on that other zone..

But, this is how you make pix remote access terminator :

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

(this does not take in to considiration split-tunneling, you would maybe need that)

Only difference from this is that you in acl 102 input your zone where you want client to reach and impplement this command :

nat (zone) 0 access-list 102

Jens

New Member

Re: can't create VPN from outside to other zones on PIX535 os ve

sorry... the paper does take in to considiration split-tunneling...

Jens

103
Views
0
Helpful
4
Replies