lan-2-lan vpn via inside interface

peter2904 · ‎02-11-2007

Hi

Is it possible to have a lan-2-lan VPN via the inside interface - PIX 525 running 6.3.5

Reason is we have 2 primary sites and need to have some traffic between the DMZ's. If possible it would allow traffic between the DMZ's via our internal network.

thanks

Peter

Kamal Malhotra · ‎02-12-2007

Hi,

The requirement is not very clear.

Kamal

kaachary · ‎02-14-2007

Hi..

Sure you can have VPN via inside interface. The configuration would be very similar to the "outside" vpn . Few changes in crypto would be like :

isakmp enable inside

cry map interface inside

and few changes in nat statements :

nat (dmz) 0 access-list X

HTH,

-Kanishka

peter2904 · ‎02-15-2007

Hi Kanishka

Thanks for the info. Think I may have the NAT wrong as the VPN did not try to establish. But then does 'NAT 0' work from a DMZ to inside interface? Thought NAT 0 was only for traffic going the other way?

kaachary · ‎02-16-2007

Hi,

Nat 0 works bidirectionally. So, if you have

nat (dmz) 0 access-list X

It would work for traffic going to inside as well as for traffic going to outside interface. So, the VPN traffic entering the FW from DMZ and going to inside n/w needs to have a Nat (dmz) 0 or a static .

HTH,

-Kanishka

peter2904 · ‎02-19-2007

Thanks Kanishka. I will give it a go.