Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
351
Views
0
Helpful
4
Replies

can't create VPN from outside to other zones on PIX535 os ver 6.3

banajahms
Level 1
Level 1

‎10-02-2006 02:51 AM - edited ‎02-21-2020 02:38 PM

Hi all,

recently i have been assigned to manage our network's security and VPN solutions and was faced with a dilema; decuase i haven't had any experience with VPNs, i use cisco PDM's VPN wizard to create VPN tunnels on the PIX535 with ios ver 6.3. the wizard always seems to assume that the connection is from the outside zone (security level 0) to the inside zone (security level 100). i want to create a VPN tunnel from the outside zone to a zone other than inside (security level 20, 30, ...etc) but i can seem to be able to. i tried to even create the tunnel to the inside and from there give the VPN client's IP address access to other zones but that didn't work. can anyone please help me out with this. i'm still surfing the web searching for a sulotion but so far didnn't find anything.

thanx in advance

CHEERS

Labels:
0 Helpful
4 Replies 4

m.sir
Level 7
Level 7

‎10-02-2006 02:58 AM

Hi,

I dont use PDM but when using CLI VPN can be terminated on any interface with command

crypto map your_map interface your_interface

check this document:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172795.html#wp997353

Iam not sure but I think PDM hasnt all CLI features

M.

0 Helpful

banajahms
Level 1
Level 1
In response to m.sir

‎10-15-2006 01:39 AM

hey M,

thanks for the post and link. but i dont want to create a site-to-site VPN rather a remote access VPN. i'll keep looking for answers but if you have any links that could help, by all means send them my way.

thanks again

0 Helpful

jenseike
Level 1
Level 1
In response to banajahms

‎10-15-2006 04:22 AM

Same thing goes for remote access... dont use pdm. the program seem to make a lot of strange configs down to the pix.. At least that is my experience.. I would suggest you use cli and rather uses a paper that tells you what to do.. It is easy..

Making a vpn to inside or any other zone from outside is all the same. You enable the tunnel on the outside interface anyway.. What you need to do is tell in the crypto-acl and nat-0 acl what prefixes you are suppose to reach. the pix will consult its routingtable and send it to the right interface...

You are not telling us if you want to terminate your vpn client in the pix or if you have another termination point on that other zone..

But, this is how you make pix remote access terminator :

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

(this does not take in to considiration split-tunneling, you would maybe need that)

Only difference from this is that you in acl 102 input your zone where you want client to reach and impplement this command :

nat (zone) 0 access-list 102

Jens

0 Helpful

jenseike
Level 1
Level 1
In response to jenseike

‎10-15-2006 04:24 AM

sorry... the paper does take in to considiration split-tunneling...

Jens

0 Helpful
Customers Also Viewed These Support Documents