Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Is it possible to build a vpn tunnel to the DMZ interface on a pix 515 ?

I'd like to know wether it's possible to have a vpn tunnel ending on a DMZ interface rather then the inside interface of a 3-way pix. All configuration examples I found route the traffic from the VPN client somewhere on the internet to the inside interface of the pix. I tried a nonat access-list from dmz to vpn client, but that does not work. I think because the vpn traffic goes to the highest security interface per definition. Am I right ?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Is it possible to build a vpn tunnel to the DMZ interface on

hi,

you can do this by use (nat 0 dmz x.x.x.x y.y.y.y)

4 REPLIES
Anonymous
N/A

Re: Is it possible to build a vpn tunnel to the DMZ interface on

You can have vpn tunnels to all Pix interfaces and every interface can be configured individually but isakmp must be enabled per interface and a valid crypto map must be applied, toghether with vpngroup commands and isakmp policy. For further information You should describe you scenatio in more detail, where are the vpn client, on the dmz or they are on the outside and you neet to make them access to the dmz protecting the traffic with ipsec?

Bye

New Member

Re: Is it possible to build a vpn tunnel to the DMZ interface on

Hi,

What I want is a VPN tunnel between my VPN windows client somwhere on the internet and the outside interface of my pix. I then want the traffic to go NOT to the inside interface, but to the DMZ interface. (outside : lowest security, inside : highest security) My DMZ has a private address range.

Regards,

Sjouke

New Member

Re: Is it possible to build a vpn tunnel to the DMZ interface on

hi,

you can do this by use (nat 0 dmz x.x.x.x y.y.y.y)

New Member

Re: Is it possible to build a vpn tunnel to the DMZ interface on

Hi,

I did this and it works fine. What is the method to reduce the clients access to the dmz or the inside for that matter ? Should I use the access-list inout in interface inside, or the access-list outin in interface outside or the nonat list to get this done ? (say I only want the client to access a machine on the central Lan through a telnet session) I've tried several things with the nonat list, but then I don't get the traffic through anymore.

202
Views
5
Helpful
4
Replies
CreatePlease login to create content