Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Peter, we have a Cisco PIX 520 with failover and a DMZ

Peter, we have a Cisco PIX 520 with failover and a DMZ. We have created an IPSec VPN from this pix's inside interface back to our main office. We would also like to enable a VPN from the dmz to the head office. Is this possible? I have created multiple VPN's on the same firewall before but this would have the same firewall creating two VPN's that would terminate on the same peer.

If this is possible could you tell me how.

Thanks

3 REPLIES
New Member

Re: Peter, we have a Cisco PIX 520 with failover and a DMZ

Starting with PIX release 5.1(3) it’s possible to terminate tunnels on any active interface on the PIX. I’d suggest creating another policy for the DMZ interface. I’d recommend terminating the tunnel on the outside interface of the PIX and in the crypto define interesting traffic originating both from the inside and the DMZ networks.

New Member

Re: Peter, we have a Cisco PIX 520 with failover and a DMZ

absolutely this is possible. i have it running at one of my customer sites. we had to upgrade to pix ios 5.2(2) but i think that was because we implemented NAT 0. if you would like, i can send you a sample of the ios config for your review.

Silver

Re: Peter, we have a Cisco PIX 520 with failover and a DMZ

It is possible, however what you must do is to place the cryptomaps on the interfaces the VPN traffic will leave via. This means that you will have one (1) cryptomap with two (2) sequence numbers in it. One for your DMZ and one for your inside networks. You then attach it to the leaving interface I guess in your case it will be the outside interface. The magic here is to create two seperate accesslists, one for the DMZ and one for the inside networks. You should also remember to shut off address translation for these two network, when communicating via the VPN.

This is done via the NAT (interface) 0 access-list .

An example is included below.

access-list 130 permit ip 10.30.0.0 255.255.0.0 10.3.0.0 255.255.0.0

access-list 120 permit ip 10.20.0.0 255.255.0.0 10.2.0.0 255.255.0.0

nat (inside) 0 access-list 130

nat (dmz) 0 access-list 120

crypto ipsec transform-set des3sha esp-3des esp-sha-hmac

crypto map intranet 2 ipsec-isakmp

crypto map intranet 2 match address 120

crypto map intranet 2 set peer 10.1.0.2

crypto map intranet 2 set transform-set des3sha

crypto map intranet 3 ipsec-isakmp

crypto map intranet 3 match address 130

crypto map intranet 3 set peer 10.1.0.2

crypto map intranet 3 set transform-set des3sha

crypto map intranet interface outside

isakmp key 12345678 address 10.1.0.2 netmask 255.255.255.255

isakmp identity address

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption 3des

isakmp policy 2 hash sha

isakmp policy 2 group 1

isakmp policy 2 lifetime 28800

Hope this helps!

183
Views
0
Helpful
3
Replies
CreatePlease login to create content