Currently we have a remote 501 pix that connect via a site to site vpn to a central 515E. The central site can see the single private subnet at the remote location just fine. The remote location can see 3 private subnets on the inside interface just fine, while we block it's access to a 4th.
We have just recently put a new appliance in one of our DMZ's that the remote site will need to access directly by it's private IP address (and at a port that isn't open to the public).
I think I can see how to let the remote site have full access to the DMZ, but it would also involve the DMZ having full access to the remote site, something that would violate our security framework.
Just so you can picture this, the remote site might be 10.2.1.0/24
The internal central site is 10.1.1.0/24 and 10.1.2.0/24.
The DMZ2 is 10.1.6.0/25 and the dmz host is 10.1.6.6. Inside clients can access 10.1.6.6 just fine, but we also need remote clients on the other end of the VPN to be able to do it.
The only way that this allows the DMZ to have full access to the remote site is if you are using "sysopt connection permit-ipsec" if you disable this and use access-lists (on either side - but probably easier if you do this on the remote side) then you will be fine.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :