"Routing" to another network via PIX vpn?

Had a question above about this but I think it was too complicated...

Is it possible to have a remote VPN (ipsec) connection hit the PIX via the Outside interface, and have that traffic go to a "DMZ" interface instead of the Inside? Yes.

Now my question is: Is possible to hit networks that are hanging off a router on that DMZ subnet? These route(s) are statically in the PIX routing table as well as the remote PIX's.

I have told the remote PIX to ipsec traffic from inside->far dmz network, The PIX does nat 0 for this of course. Told them the way to that network is via the outside interface of the central PIX. Packets show up on the central PIX but say in syslog "no translation group src internet: dst:" in other works, ipsec'd packets show up on the internet interface with private IPs from the remote PIX as expected, but then have no where to go.

They have no NAT available, as they need to go to a higher security interface, so that would be backwards. And I can't seem to figure out a working 'static' statement.

I guess I'm having trouble figuring out "where" exactly one of these packet is in the order of processing. I can picture when a packet is coming from the inside interface, or one coming out of the tunnel onto a local network, but cant seem to figure out how to direct it to a close-by routed network!

Any ideas anyone? Joey

Reply to
Loading thread data ...

Sounds like you have not applied a "nat 0" command to the dmz interface. Do you have something like this:

access-list DMZ permit ip access-list NO_NAT_DMZ permit ip access-list VPN permit ip nat (dmz) 0 access-list NO_NAT_DMZ access-group DMZ in interface dmz crypto map MAP 100 match address VPN
Reply to
Jyri Korhonen

Yeah I think I've got that part covered now but no go :/ .... what I may end up doing as a workaround is sticking a router inbetween the router and the PIX and doing NAT there, as in your example, instead of in the PIX. We dont have control of the router as its the other company's and they are paranoid. I think if i just let the pix pass the remote's IPs straight thru, as is done with normal remoteDMZ traffic, it will work. I can make the needed addresses appear as hosts in the DMZ and avoid trying to get a 2nd subnet working.


Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.