PIX remote vpn to dmz

daniel.kline · ‎06-01-2004

Can a PIX firewall be configured to provide remote VPN connectivity to VPN clients entering through the DMZ interface? Can the remote vpn through the dmz be configured simultaneously with remote vpn to the external interface?

I have configured dozens of remote VPNs, but only through the external interface, never through the dmz.

Thx,

dak

gfullage · ‎06-01-2004

Yes it can, you just need to enable isakmp on the dmz interface with:

isakmp enable dmz

and then create a different crypto map and apply it to the dmz interface with:

crypto map interface dmz

Other than that everything is as normal. The hardest thing in this scenario is making sure your routing table on the PIX has routes back to the hosts, and that these routes point out the DMZ interface rather than the outside. Remember that the return traffic back to the hosts HAS TO go back out the dmz interface, and this is defined by your routing table. With VPN clients getting dynamic IP addresses from their ISP this is virtually impossible to do.

What some people do if they have a LAN-to-LAN tunnel and VPN clients, is they set up the L2L over the DMZ interface, and the clients connect in over the outside interface. This way they can have the default route pointing out the outside int, and a static route for the remote L2L network pointing out the DMZ. This has the added benefit of allowing the VPN clients to tunnel into the PIX, then go back out over the L2L tunnel to the remote site, something you normally couldn't do if they both terminated on the outside interface.

See the following for details:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080103ed0.shtml

daniel.kline · ‎06-02-2004

Thanks for the info, gfullage.