02-15-2007 05:19 AM - edited 03-11-2019 02:33 AM
Hello, we need to access our extranet DMZ remotely via VPN and are having some problems getting this to work.
The endpoints of the vpn are two pixes - one of which has the extranet dmz residing on it (see attached diagram)
The vpn is setup fine and can pass traffic site-to-site ok. The problem is when we try from the remote end to reach a network off the dmz - we get traffic encrypted but none coming back
I presume this can be done but is there any special config to do this - same security etc..
Any help would be much appreciated
cheers
02-15-2007 05:56 AM
In your london pix, you need to have the dmz part of your interesting traffic acl as well as a nat (DMZ) 0 acl, just like you did for you inside networks.
access-list DMZ_nat0_outbound permit ip
nat (DMZ) 0 access-list DMZ_nat0_outbound
02-15-2007 07:07 AM
one more thing to muddy the waters a little
the end server does not reside on the dmz - rather the router that allows access to it is (as I say it's a partner network)
we policy pat connections on the london firewall going out to the destination..
would this have an impact with the nat 0 needed for ipsec?
many thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide