I?m getting ready to shutdown and MPLS circuit and cut over to a site to site VPN. The tunnel will be between two PIX?s running 6.3.x. Once I disable sysopt connection permit-ipsec on both firewalls and modify the incoming access-list, users from Site A can access all the segments at Site B and vice versa. The issue that I can see happening is with one of the segments at Site B that is a DMZ
How can I setup ?one way? access to the DMZ so that LAN segments can initiate connections to the DMZ but hosts in the DMZ cannot initiate connect into the LAN over the site to site VPN. Would I do it with an access list on the DMZ interface?
So this would still allow hosts at Site A to initiate connections with hosts in the DMZ at Site B over the VPN tunnel and traffic would be able to flow but at the same time, hosts in the DMZ would not be able to initiate connections with the LAN at Site A?
The reason I ask is because I think I tried this and it caused no traffic to be allowed at all but I could be mistaken.
I removed the sysopt connection permit-ipsec and set the ACLs to allow VPN traffic. The VPN works fine but hosts in the DMZ could initiate connections to the remote LAN over the VPN. I entered the deny statement for the DMZ interface:
access-list dmz deny ip any 18.104.22.168 255.255.255.0
access-list dmz permit ip any any
access-list dmz in interface dmz
Once I did that, no traffic could flow to or from the DMZ. What am I missing?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...