Is a site to site VPN in this scenario possible?

We have 5-6 users who are operating out of another company's office,
and I want to create a site-to-site VPN tunnel from that location's
PIX 515 DMZ to the outside interface on our local PIX 515. Is this
scenario possible? Thanks for any and all replies.

 

In your scenario I think that this is not going to work because for IPSec
tunnel traffic should leave source location's VPN firewall trough it's
outside interface and enter destination location's VPN firewall trough it's
outside interface. So, in your case you have to set vpn configuration
(crypto map) on outside interfaces on both PIX boxes.
So, why you simply don't set crypto map on outside interfaces and then use
cypto acl's to select traffic for encapsulation, for example traffic sourced
from DMZ LAN? This is how things should be done at least AFAIK on pix.
On Cisco routers you can put the crypto map on loopback interface and then
policy route traffic from dmz to loopback...this has some chances to work...
Pix doesn't support policy routing nor loopback interfaces.
Or if this is scalable and practical configure remote access VPN on your pix
and then connect remote users with software vpn clients...Then you don't
have to worry about PIX in another company. They just have to let you pass
trough IPSec UDP packets trough their PIX out to the Internet.

i

 

We terminate VPNs on the outside and DMZ interfaces on PIX 515, there
is no restriction on that. It sounds though like you have the 5-6
hosts connected to the DMZ? If that is the case, you would terminate
the VPN on the 515 outside interface and pass the VPN traffic to the
DMZ and your hosts. On the "local" 515, you would terminate on the
outside. Some more detail would help like IP ranges and where you
want the encrypted traffic to pass.