I am trying to create a site to site vpn between 2 offices, lets call them Office A and Office B. Each office has an inside zone and a DMZ zone. Each office has a pix 525 with version 6.3(5) running on it. I am able to create tunnels so that inside A can access inside B, and DMZ A can access DMZ B - but I am unable to create the funtionality that I need. The following is what I would like to do.
Connectivity Requirements:
Inside of Office A can access BOTH inside and DMZ of Office B DMZ of Office A can ONLY access DMZ of Office B and NOT inside of Office B Inside of Office B can access Both inside and DMZ of Office A DMZ of Office B can ONLY access DMZ of Office A and not inside of Office A Inside of Office A can access DMZ of Office A Inside of Office B can access DMZ of Office B DMZ of Office A CANNOT access Inside of Office A DMZ of Office B CANNOT access Inside of Office B
Specifics
Office A: pix outside interface: 99.99.99.99 pix DMZ interface: 10.10.1.1/16 pix inside interface: 172.20.1.1/24
Office B: pix outside interface: 100.100.100.100 pix DMZ interface: 10.11.1.1/16 pix inside interface: 172.21.1.1/24
I have checked all the cisco web site examples, I cannot find a single example where they do something like that -- Normally we turn off natting for VPN, but I am assuming that here we need some kind of natting or patting, does anyone have an idea? Also I do not have access to the routers in either office, so whatever configuration I need to do must be done only on the firewalls
Thanks very much in advance.