Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
246
Views
0
Helpful
2
Replies

PIX to PIX VPN with DMZ (&other interface) access

okeblawi
Level 1
Level 1

‎04-09-2003 02:23 PM - edited ‎02-21-2020 12:28 PM

Hello,

I have a local PIX515e (OS 6.3) and a remote PIX 506e (OS 6.3) setup with a test "site to site" vpn config. The tunnel is working great, except for a few minor annoyances.

My question is this: -- How can I provide access to the 515e's other interfaces (DMZ, DMZ2..etc...) from the 506E's network through the VPN tunnel?

I would think it would be possible to achieve this through 'static routes'... For example...On the Remote 506e, add some static routes for DMZ traffic to go through the VPN tunnel to the inside interface of the 515E -- which would then forward it to the appropriate DMZ interface etc... ... but since you cant even ping the inside interfaces on the PIX's through VPN tunnels... this will not work. (maybe on purpose??)

I have also read a little about using Split-Tunneling for the VPN "Client" software.. but it doesn't seem to apply to 'site to site' config's.

Thanks for any help or pointers you could provide !

Mike

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎04-09-2003 09:20 PM

On the 506 add additional lines in the crypto ACL that say "FROM the local network TO the remote DMZ networks"

On the 515 add similar lines but in the opposite direction: "FROM the DMZ networks TO the remote 506 network"

This will ensure that traffic to and from the DMZ networks is encrypted by the PIX.

Now, on the 515 you also have to make sure that this traffic isn't NAT'd, just like you have with your inside-to-inside traffic. So add the following:

> access-list dmzvpn permit ip

> nat (dmz) 0 access-list dmzvpn

> access-list dmz2vpn permit ip

> nat (dmz2) 0 access-list dmz2vpn

If you have additional DMZ interfaces, just add similar lines for those.

0 Helpful

okeblawi
Level 1
Level 1
In response to gfullage

‎04-10-2003 10:59 AM

Now, why couldn't I figure that out ?? :)

still having a little trouble with my DMZ2 interface... probably a NAT issue.. But DMZ interface is working great.

Thank you so much!

Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents