07-25-2003 09:31 AM - edited 02-21-2020 12:41 PM
Is there a way to make this work. I have a PIX at site A with a DMZ interface. I want site B to get to site A inside and dmz resources. I've tried nat 0 allowing the extended network at B to get to the DMZ without natting. That didn't work. I haven't tried
static (outside, dmz) with the range of extended network addresses?
07-27-2003 02:13 PM
Considering that your lan to lan tunnel will end at the outside interface, the access list, nat(inside) and nat (dmz) will be where you concentrate on PixA.
Let'w say you have the following subnet for (inside):
192.168.2.0/24
and you have for the following for DMZ:
192.168.7.0/24
At the remote PIX you have 10.0.0.0/16
your access list for nat (inside) on PIX A will be:
access-list 170 permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.255.0.0
your access list for nat(dmz) will be:
access-list 177 permit ip 192.168.7.0 255.255.255.0 10.0.0.0 255.255.0.0
your nat commands respectively:
nat (inside) 0 access-list 170
nat (dmz) 0 access-list 177
On pix B you will have this access lists mirrored....
once the tunnel is up, send traffic to this two subnets, then get the output for show crypto ipsec sa, look at the encrypts and decrypts. Also show access-list command will show you hits.
Hope this helps
07-28-2003 03:55 AM
thansk much
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide