Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Setup site to site tunnel to terminate on DMZ interface

I'm looking for a way to secure traffic between hosts on our inside network and hosts on the other end of a site to site tunnel.  I want to be able to apply an access list on the dmz interface to filter traffic from the remote site before it hits my inside network. 

I've considered using nat to translate a private IP address of a dmz interface to a public IP to used by the remote peer, but that seems to be a dead end.  So I'm thinking about using the dmz interface to present to the remote side as the network they'll be communicating with, but am not clear on how to push traffic through the dmz interface in both directions.  Would I have to provide the remote side with new IP addresses (addresses belonging to the dmz network) to contact instead of the addresses they currently contact, which are on the inside network?  Or could I remove the no-nat configuration currently in place for hosts on the inside (which I would do as a necessary step even if presenting the remote end with new dmz address), and replace it with a no-nat configuration that applies to traffic sourced from the dmz interface destined for the remote side of the tunnel, and include a nat statement on the dmz interface that nats those inside hosts to themselves to save me the pain of getting the remote end to use a whole new set of addresses to contact?  I'm familiar with performing that sort of nat on a host with an ASA running 8.4, but am not sure how to do it for an entire network.  For example:

object network Test


nat (inside,dmz) source static

thank you,


CreatePlease login to create content