Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN on DMZ

Can vpn be terminated on a dmz if the address on that particular dmz is legal and registered?

The connection works on the outside interface, however, when i tried moving it to a dmz it didnt work even though the dmz's ip is register and I configured the pix as follows:

crypto map mymap interface dmz

isakmp enable dmz

isakmp client configuration address-pool local ipsecpool dmz

Thanks in advance.

2 REPLIES
New Member

Re: VPN on DMZ

You can terminate a VPN on any interface. You can even apply crypto maps to every interface independantly. Also note, the name 'dmz' is just a tag. You could rename the Interface to 'VPN'.

I suspect your problem is with Routing.

If you are tunneling private addresses, you will need to add a route for the remote LAN through the DMZ interface. You generally do not need this route when the crypto-map is applied to the outside interface because the remote LAN would be included in the default route statement (0.0.0.0).

For example: If you were to apply the crypto-map to the outside interface, but only configure a specific route for the peer network's public IP address, the connection would fail. You would have to add a route for the peer network's internal addressing as well.

New Member

Re: VPN on DMZ

Thanks Brad, I'll check my routing and let you know the outcome.

229
Views
0
Helpful
2
Replies
CreatePlease login to create content