Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
592
Views
5
Helpful
4
Replies

Is it possible to build a vpn tunnel to the DMZ interface on a pix 515 ?

Go to solution
sjouke
Level 1
Level 1

‎11-14-2003 03:22 PM - edited ‎02-21-2020 12:52 PM

I'd like to know wether it's possible to have a vpn tunnel ending on a DMZ interface rather then the inside interface of a 3-way pix. All configuration examples I found route the traffic from the VPN client somewhere on the internet to the inside interface of the pix. I tried a nonat access-list from dmz to vpn client, but that does not work. I think because the vpn traffic goes to the highest security interface per definition. Am I right ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
junlonglu
Level 1
Level 1
In response to sjouke

‎11-22-2003 05:32 PM

hi,

you can do this by use (nat 0 dmz x.x.x.x y.y.y.y)

View solution in original post

4 Replies 4

Go to solution
Not applicable

‎11-15-2003 12:25 PM

You can have vpn tunnels to all Pix interfaces and every interface can be configured individually but isakmp must be enabled per interface and a valid crypto map must be applied, toghether with vpngroup commands and isakmp policy. For further information You should describe you scenatio in more detail, where are the vpn client, on the dmz or they are on the outside and you neet to make them access to the dmz protecting the traffic with ipsec?

Bye

0 Helpful

Go to solution
sjouke
Level 1
Level 1
In response to

‎11-16-2003 11:29 AM

Hi,

What I want is a VPN tunnel between my VPN windows client somwhere on the internet and the outside interface of my pix. I then want the traffic to go NOT to the inside interface, but to the DMZ interface. (outside : lowest security, inside : highest security) My DMZ has a private address range.

Regards,

Sjouke

0 Helpful

Go to solution
junlonglu
Level 1
Level 1
In response to sjouke

‎11-22-2003 05:32 PM

hi,

you can do this by use (nat 0 dmz x.x.x.x y.y.y.y)

Go to solution
sjouke
Level 1
Level 1
In response to junlonglu

‎11-22-2003 06:10 PM

Hi,

I did this and it works fine. What is the method to reduce the clients access to the dmz or the inside for that matter ? Should I use the access-list inout in interface inside, or the access-list outin in interface outside or the nonat list to get this done ? (say I only want the client to access a machine on the central Lan through a telnet session) I've tried several things with the nonat list, but then I don't get the traffic through anymore.

0 Helpful
Customers Also Viewed These Support Documents