1. Home
  2. Cisco Systems
  3. pix 525 6.3(5) site-to-site VPN with DMZ access

pix 525 6.3(5) site-to-site VPN with DMZ access

I am trying to create a site to site vpn between 2 offices, lets call them Office A and Office B. Each office has an inside zone and a DMZ zone. Each office has a pix 525 with version 6.3(5) running on it. I am able to create tunnels so that inside A can access inside B, and DMZ A can access DMZ B - but I am unable to create the funtionality that I need. The following is what I would like to do.

Connectivity Requirements:

Inside of Office A can access BOTH inside and DMZ of Office B DMZ of Office A can ONLY access DMZ of Office B and NOT inside of Office B Inside of Office B can access Both inside and DMZ of Office A DMZ of Office B can ONLY access DMZ of Office A and not inside of Office A Inside of Office A can access DMZ of Office A Inside of Office B can access DMZ of Office B DMZ of Office A CANNOT access Inside of Office A DMZ of Office B CANNOT access Inside of Office B

Specifics

Office A: pix outside interface: 99.99.99.99 pix DMZ interface: 10.10.1.1/16 pix inside interface: 172.20.1.1/24

Office B: pix outside interface: 100.100.100.100 pix DMZ interface: 10.11.1.1/16 pix inside interface: 172.21.1.1/24

I have checked all the cisco web site examples, I cannot find a single example where they do something like that -- Normally we turn off natting for VPN, but I am assuming that here we need some kind of natting or patting, does anyone have an idea? Also I do not have access to the routers in either office, so whatever configuration I need to do must be done only on the firewalls

Thanks very much in advance.

Reply to
zacharydenison
Loading thread data ...

pixA(conf)# access-l no_nat p ip any 10.0.0.0 255.0.0.0 pixA(conf)# access-l no_nat p ip any 172.16.0.0 255.240.0.0 pixA(conf)# access-l no_nat p ip any 192.168.0.0 255.255.0.0

pixA(conf)# nat (inside) 0 no_nat pixA(conf)# nat (dmz) 0 no_nat

pixA(conf)# access-l vpn p ip 10.10.0.0 255.255.0.0 10.11.0.0 255.255.0.0 pixA(conf)# access-l vpn p ip 10.10.0.0 255.255.0.0 172.21.0.0 255.255.255.0 pixA(conf)# access-l vpn p ip 172.20.0.0 255.255.255.0 10.11.0.0 255.255.0.0 pixA(conf)# access-l vpn p ip 172.20.0.0 255.255.255.0 172.21.0.0 255.255.255.0

pixA(conf)# crypto map branch match address vpn

pixB vice versa

pixB(conf)# access-l from_outside perm ip 10.10.0.0 255.255.0.0 any

pixB(conf)# access-l from_dmz p ip 172.20.0.0 255.255.255.0 172.21.0.0

255.255.255.0

pixB(conf)# access-l from_inside p ip any 172.21.0.0 255.255.255.0

pixB(conf)# access-l from_outside d ip 10.10.0.0 255.255.0.0 10.11.0.0

255.255.0.0

Your turn.

pixB(conf)# access-g from_inside in interface inside ...

Reply to
Lutz Donnerhacke

I am afraid this configuration doesnt work. I am still able to establish connnections bidirectionally from the DMZ of either office to the inside. It seems that the vpn access lists take precedence over the interface access lists. It seems to me that some natting is required, although I dont know how this would work. What I would like is that an inside host in office A, can connect to a DMZ server in office B. But no server in the DMZ of office B should be allowed to initiate a connection with any host in the inside of office A. (and visa versa)

Reply to
networksecurity

Of course. I provided a sketch of the necessary configuration. You have to complete your configuration from this sketch.

Reply to
Lutz Donnerhacke

actually your configuration does work - after I re-read my post I realized that what the problem is - the vpn traffic was taking precedence over the ACL traffic - so I needed to do a "no sysopt connection ipsec" - which doesn't bypass the ACL. After that your example worked very well. Thank you!

Reply to
networksecurity

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.