Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2550
Views
0
Helpful
3
Replies

Peter, we have a Cisco PIX 520 with failover and a DMZ

careyg
Level 1
Level 1

‎11-07-2000 12:04 PM - edited ‎02-20-2020 09:46 PM

Peter, we have a Cisco PIX 520 with failover and a DMZ. We have created an IPSec VPN from this pix's inside interface back to our main office. We would also like to enable a VPN from the dmz to the head office. Is this possible? I have created multiple VPN's on the same firewall before but this would have the same firewall creating two VPN's that would terminate on the same peer.

If this is possible could you tell me how.

Thanks

0 Helpful
3 Replies 3

r-simpson
Level 3
Level 3

‎11-21-2000 07:55 AM

Starting with PIX release 5.1(3) it’s possible to terminate tunnels on any active interface on the PIX. I’d suggest creating another policy for the DMZ interface. I’d recommend terminating the tunnel on the outside interface of the PIX and in the crypto define interesting traffic originating both from the inside and the DMZ networks.

0 Helpful

peter.sprygada
Level 1
Level 1

‎11-22-2000 10:15 AM

absolutely this is possible. i have it running at one of my customer sites. we had to upgrade to pix ios 5.2(2) but i think that was because we implemented NAT 0. if you would like, i can send you a sample of the ios config for your review.

0 Helpful

smahbub
Level 6
Level 6

‎11-28-2000 06:46 AM

It is possible, however what you must do is to place the cryptomaps on the interfaces the VPN traffic will leave via. This means that you will have one (1) cryptomap with two (2) sequence numbers in it. One for your DMZ and one for your inside networks. You then attach it to the leaving interface I guess in your case it will be the outside interface. The magic here is to create two seperate accesslists, one for the DMZ and one for the inside networks. You should also remember to shut off address translation for these two network, when communicating via the VPN.

This is done via the NAT (interface) 0 access-list .

An example is included below.

access-list 130 permit ip 10.30.0.0 255.255.0.0 10.3.0.0 255.255.0.0

access-list 120 permit ip 10.20.0.0 255.255.0.0 10.2.0.0 255.255.0.0

nat (inside) 0 access-list 130

nat (dmz) 0 access-list 120

crypto ipsec transform-set des3sha esp-3des esp-sha-hmac

crypto map intranet 2 ipsec-isakmp

crypto map intranet 2 match address 120

crypto map intranet 2 set peer 10.1.0.2

crypto map intranet 2 set transform-set des3sha

crypto map intranet 3 ipsec-isakmp

crypto map intranet 3 match address 130

crypto map intranet 3 set peer 10.1.0.2

crypto map intranet 3 set transform-set des3sha

crypto map intranet interface outside

isakmp key 12345678 address 10.1.0.2 netmask 255.255.255.255

isakmp identity address

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption 3des

isakmp policy 2 hash sha

isakmp policy 2 group 1

isakmp policy 2 lifetime 28800

Hope this helps!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card