Cisco Support Community
Community Member

pix to pix VPN access to dmz

Is there a way to make this work. I have a PIX at site A with a DMZ interface. I want site B to get to site A inside and dmz resources. I've tried nat 0 allowing the extended network at B to get to the DMZ without natting. That didn't work. I haven't tried

static (outside, dmz) with the range of extended network addresses?

Community Member

Re: pix to pix VPN access to dmz

Considering that your lan to lan tunnel will end at the outside interface, the access list, nat(inside) and nat (dmz) will be where you concentrate on PixA.

Let'w say you have the following subnet for (inside):

and you have for the following for DMZ:

At the remote PIX you have

your access list for nat (inside) on PIX A will be:

access-list 170 permit ip

your access list for nat(dmz) will be:

access-list 177 permit ip

your nat commands respectively:

nat (inside) 0 access-list 170

nat (dmz) 0 access-list 177

On pix B you will have this access lists mirrored....

once the tunnel is up, send traffic to this two subnets, then get the output for show crypto ipsec sa, look at the encrypts and decrypts. Also show access-list command will show you hits.

Hope this helps

Community Member

Re: pix to pix VPN access to dmz

thansk much

CreatePlease to create content