Hello !
PIX 6.3
I have several branch offices connected to headquarter through vpn tunnel (PIX to PIX vpn). In headquarter i have DMZ (dmz interface - PIX 515). Is it possible to create vpn connection from branch offices to DMZ ? I have to put corporate Exchange server there. Exchange should not be visible from internet but for some reason it may not be in inside lan. Any examples ?
regards kmet
Do You wan't to terminate a VPN tunnel somewhere in the DMZ or just allow traffic from/to the DMZ to enter the tunnel?
It's just the same as with any other VPN tunnel. You only have to make proper ACLs.
Only allow trafic. VPN is terminated in outside interface. It should be easy ... but i can't manage it.
Topology looks like this :
vpn_client (192.168.1.11) | | (outside) pix (dmz) --- 172.16.0.0 | (inside) 192.168.0.0
vpn_client have access to lan (inside), but i can't get to servers in dmz.
Config : nat (inside) 0 access-list 10 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz) 0 access-list nonat_dmz
access-list 10 permit ip 192.168.0.0 255.255.255.0 192.168.1.0
255.255.255.0 access-list nonat_dmz permit ip 172.16.0.0 255.255.255.0 192.168.1.0 255.255.255.0access-list in_outside permit ip 192.168.1.0 255.255.255.0 172.16.0.0
255.255.255.0 access-list in_outside permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list in_inside permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list in_dmz permit ip host 172.16.0.3 anyip local pool vpnclients 192.168.1.10-192.168.1.15 vpngroup remote_access address-pool vpnclients vpngroup remote_access split-tunnel 10 vpngroup remote_access idle-time 1800 vpngroup remote_access password ********
any idea ?
regards
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.