pix to pix VPN access to dmz

whanson · ‎07-25-2003

Is there a way to make this work. I have a PIX at site A with a DMZ interface. I want site B to get to site A inside and dmz resources. I've tried nat 0 allowing the extended network at B to get to the DMZ without natting. That didn't work. I haven't tried

static (outside, dmz) with the range of extended network addresses?

artherrera · ‎07-27-2003

Considering that your lan to lan tunnel will end at the outside interface, the access list, nat(inside) and nat (dmz) will be where you concentrate on PixA.

Let'w say you have the following subnet for (inside):

192.168.2.0/24

and you have for the following for DMZ:

192.168.7.0/24

At the remote PIX you have 10.0.0.0/16

your access list for nat (inside) on PIX A will be:

access-list 170 permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.255.0.0

your access list for nat(dmz) will be:

access-list 177 permit ip 192.168.7.0 255.255.255.0 10.0.0.0 255.255.0.0

your nat commands respectively:

nat (inside) 0 access-list 170

nat (dmz) 0 access-list 177

On pix B you will have this access lists mirrored....

once the tunnel is up, send traffic to this two subnets, then get the output for show crypto ipsec sa, look at the encrypts and decrypts. Also show access-list command will show you hits.

Hope this helps

whanson · ‎07-28-2003

thansk much