Setup site to site tunnel to terminate on DMZ interface
I'm looking for a way to secure traffic between hosts on our inside network and hosts on the other end of a site to site tunnel. I want to be able to apply an access list on the dmz interface to filter traffic from the remote site before it hits my inside network.
I've considered using nat to translate a private IP address of a dmz interface to a public IP to used by the remote peer, but that seems to be a dead end. So I'm thinking about using the dmz interface to present to the remote side as the network they'll be communicating with, but am not clear on how to push traffic through the dmz interface in both directions. Would I have to provide the remote side with new IP addresses (addresses belonging to the dmz network) to contact instead of the addresses they currently contact, which are on the inside network? Or could I remove the no-nat configuration currently in place for hosts on the inside (which I would do as a necessary step even if presenting the remote end with new dmz address), and replace it with a no-nat configuration that applies to traffic sourced from the dmz interface destined for the remote side of the tunnel, and include a nat statement on the dmz interface that nats those inside hosts to themselves to save me the pain of getting the remote end to use a whole new set of addresses to contact? I'm familiar with performing that sort of nat on a host with an ASA running 8.4, but am not sure how to do it for an entire network. For example:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :