Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Site to site VPN DMZ access control

I?m getting ready to shutdown and MPLS circuit and cut over to a site to site VPN. The tunnel will be between two PIX?s running 6.3.x. Once I disable sysopt connection permit-ipsec on both firewalls and modify the incoming access-list, users from Site A can access all the segments at Site B and vice versa. The issue that I can see happening is with one of the segments at Site B that is a DMZ

How can I setup ?one way? access to the DMZ so that LAN segments can initiate connections to the DMZ but hosts in the DMZ cannot initiate connect into the LAN over the site to site VPN. Would I do it with an access list on the DMZ interface?

-Colin

4 REPLIES
Green

Re: Site to site VPN DMZ access control

There would be several ways to accomplish this. Just create an access list on the dmz you want to restrict denying the access to the remote networks.

access-list dmz deny ip any

access-list dmz deny ip any

access-list dmz permit ip any any

access-list dmz in interface dmz

Community Member

Re: Site to site VPN DMZ access control

Acomiskey

So this would still allow hosts at Site A to initiate connections with hosts in the DMZ at Site B over the VPN tunnel and traffic would be able to flow but at the same time, hosts in the DMZ would not be able to initiate connections with the LAN at Site A?

The reason I ask is because I think I tried this and it caused no traffic to be allowed at all but I could be mistaken.

Thanks

Colin

Green

Re: Site to site VPN DMZ access control

Colin,

That is correct. It's no different than any other access list. As long as you allow it in the outside access list you will be good to go.

Community Member

Re: Site to site VPN DMZ access control

I removed the sysopt connection permit-ipsec and set the ACLs to allow VPN traffic. The VPN works fine but hosts in the DMZ could initiate connections to the remote LAN over the VPN. I entered the deny statement for the DMZ interface:

access-list dmz deny ip any 1.1.1.0 255.255.255.0

access-list dmz permit ip any any

access-list dmz in interface dmz

Once I did that, no traffic could flow to or from the DMZ. What am I missing?

Thanks

Colin

276
Views
0
Helpful
4
Replies
CreatePlease to create content