access to DMZ (PIX 6.3) from outside through vpn tunnel

Hello !

PIX 6.3

I have several branch offices connected to headquarter through vpn
tunnel (PIX to PIX vpn).
In headquarter i have DMZ (dmz interface - PIX 515).
Is it possible to create vpn connection from branch offices to DMZ ?
I have to put corporate Exchange server there. Exchange should not be
visible from internet but for some reason it may not be in inside lan.
Any examples ?

regards
kmet

 

Do You wan't to terminate a VPN tunnel somewhere in the DMZ or just
allow traffic from/to the DMZ to enter the tunnel?

It's just the same as with any other VPN tunnel. You only have to make
proper ACLs.

 

Only allow trafic. VPN is terminated in outside interface.
It should be easy ... but i can't manage it.

Topology looks like this :

vpn_client (192.168.1.11)
|
|
(outside)
pix (dmz) --- 172.16.0.0
|
(inside) 192.168.0.0

vpn_client have access to lan (inside), but i can't get to servers in
dmz.

Config :
nat (inside) 0 access-list 10
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list nonat_dmz

access-list 10 permit ip 192.168.0.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list nonat_dmz permit ip 172.16.0.0 255.255.255.0 192.168.1.0
255.255.255.0

access-list in_outside permit ip 192.168.1.0 255.255.255.0 172.16.0.0
255.255.255.0
access-list in_outside permit ip 192.168.1.0 255.255.255.0 192.168.0.0
255.255.255.0
access-list in_inside permit ip 192.168.0.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list in_dmz permit ip host 172.16.0.3 any

ip local pool vpnclients 192.168.1.10-192.168.1.15
vpngroup remote_access address-pool vpnclients
vpngroup remote_access split-tunnel 10
vpngroup remote_access idle-time 1800
vpngroup remote_access password ********

any idea ?

regards