04-16-2002 08:46 AM - edited 02-21-2020 11:41 AM
Can vpn be terminated on a dmz if the address on that particular dmz is legal and registered?
The connection works on the outside interface, however, when i tried moving it to a dmz it didnt work even though the dmz's ip is register and I configured the pix as follows:
crypto map mymap interface dmz
isakmp enable dmz
isakmp client configuration address-pool local ipsecpool dmz
Thanks in advance.
04-16-2002 09:49 AM
You can terminate a VPN on any interface. You can even apply crypto maps to every interface independantly. Also note, the name 'dmz' is just a tag. You could rename the Interface to 'VPN'.
I suspect your problem is with Routing.
If you are tunneling private addresses, you will need to add a route for the remote LAN through the DMZ interface. You generally do not need this route when the crypto-map is applied to the outside interface because the remote LAN would be included in the default route statement (0.0.0.0).
For example: If you were to apply the crypto-map to the outside interface, but only configure a specific route for the peer network's public IP address, the connection would fail. You would have to add a route for the peer network's internal addressing as well.
04-17-2002 12:20 AM
Thanks Brad, I'll check my routing and let you know the outcome.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide