04-09-2003 02:23 PM - edited 02-21-2020 12:28 PM
Hello,
I have a local PIX515e (OS 6.3) and a remote PIX 506e (OS 6.3) setup with a test "site to site" vpn config. The tunnel is working great, except for a few minor annoyances.
My question is this: -- How can I provide access to the 515e's other interfaces (DMZ, DMZ2..etc...) from the 506E's network through the VPN tunnel?
I would think it would be possible to achieve this through 'static routes'... For example...On the Remote 506e, add some static routes for DMZ traffic to go through the VPN tunnel to the inside interface of the 515E -- which would then forward it to the appropriate DMZ interface etc... ... but since you cant even ping the inside interfaces on the PIX's through VPN tunnels... this will not work. (maybe on purpose??)
I have also read a little about using Split-Tunneling for the VPN "Client" software.. but it doesn't seem to apply to 'site to site' config's.
Thanks for any help or pointers you could provide !
Mike
04-09-2003 09:20 PM
On the 506 add additional lines in the crypto ACL that say "FROM the local network TO the remote DMZ networks"
On the 515 add similar lines but in the opposite direction: "FROM the DMZ networks TO the remote 506 network"
This will ensure that traffic to and from the DMZ networks is encrypted by the PIX.
Now, on the 515 you also have to make sure that this traffic isn't NAT'd, just like you have with your inside-to-inside traffic. So add the following:
> access-list dmzvpn permit ip
> nat (dmz) 0 access-list dmzvpn
> access-list dmz2vpn permit ip
> nat (dmz2) 0 access-list dmz2vpn
If you have additional DMZ interfaces, just add similar lines for those.
04-10-2003 10:59 AM
Now, why couldn't I figure that out ?? :)
still having a little trouble with my DMZ2 interface... probably a NAT issue.. But DMZ interface is working great.
Thank you so much!
Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: