11-06-2000 08:30 AM - edited 02-21-2020 11:14 AM
I have a rather perplexing situation here. I have a customer that is terminating VPN connections on a PIX520 with six interfaces. The VPN works great when terminating on the outside interface. We need to terminate a different VPN on one of the "dmz" interfaces. We are able to get the tunnel up and running just fine; however, the dynamic ACL that is being built will only allow ICMP traffic. We are currently running 5.2(2) code. Has anyone ever tried this and gotten it to work properly?? Right now we have the TAC engineers completely stumped.
11-08-2000 09:54 AM
Sounds like a bug. Has your TAC engineer sent this to the development team?
01-02-2001 01:43 PM
I have done it a few times using NAT 0 commands. Keep VPN terminating outside but in your interesting traffic create access-list that address traffic from DMZ to your remote site. Also include this in NAT 0 command to bypass NAT for this traffic. With 5.2 it works great. It doesn't work with PL-COMPATIBLE.
Sam
01-05-2001 08:23 AM
Hi Peter,
I think this is an IOS issue on the FW. In order to terminate the VPN on one of the inside interfaces you may check the release notes of the IOS.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide