Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix Site-to-Site VPN. Remote site DMZ access.

Currently we have a remote 501 pix that connect via a site to site vpn to a central 515E. The central site can see the single private subnet at the remote location just fine. The remote location can see 3 private subnets on the inside interface just fine, while we block it's access to a 4th.

We have just recently put a new appliance in one of our DMZ's that the remote site will need to access directly by it's private IP address (and at a port that isn't open to the public).

I think I can see how to let the remote site have full access to the DMZ, but it would also involve the DMZ having full access to the remote site, something that would violate our security framework.

Just so you can picture this, the remote site might be 10.2.1.0/24

The internal central site is 10.1.1.0/24 and 10.1.2.0/24.

The DMZ2 is 10.1.6.0/25 and the dmz host is 10.1.6.6. Inside clients can access 10.1.6.6 just fine, but we also need remote clients on the other end of the VPN to be able to do it.

1 REPLY
New Member

Re: Pix Site-to-Site VPN. Remote site DMZ access.

The only way that this allows the DMZ to have full access to the remote site is if you are using "sysopt connection permit-ipsec" if you disable this and use access-lists (on either side - but probably easier if you do this on the remote side) then you will be fine.

156
Views
0
Helpful
1
Replies
CreatePlease to create content