pix 525 6.3(5) site-to-site VPN with DMZ access

I am trying to create a site to site vpn between 2 offices, lets call
them Office A and Office B. Each office has an inside zone and a DMZ
zone. Each office has a pix 525 with version 6.3(5) running on it. I am
able to create tunnels so that inside A can access inside B, and DMZ A
can access DMZ B - but I am unable to create the funtionality that I
need. The following is what I would like to do.

Connectivity Requirements:

Inside of Office A can access BOTH inside and DMZ of Office B
DMZ of Office A can ONLY access DMZ of Office B and NOT inside of
Office B
Inside of Office B can access Both inside and DMZ of Office A
DMZ of Office B can ONLY access DMZ of Office A and not inside of
Office A
Inside of Office A can access DMZ of Office A
Inside of Office B can access DMZ of Office B
DMZ of Office A CANNOT access Inside of Office A
DMZ of Office B CANNOT access Inside of Office B

Specifics

Office A:
pix outside interface: 99.99.99.99
pix DMZ interface: 10.10.1.1/16
pix inside interface: 172.20.1.1/24

Office B:
pix outside interface: 100.100.100.100
pix DMZ interface: 10.11.1.1/16
pix inside interface: 172.21.1.1/24

I have checked all the cisco web site examples, I cannot find a single
example where they do something like that -- Normally we turn off
natting for VPN, but I am assuming that here we need some kind of
natting or patting, does anyone have an idea? Also I do not have access
to the routers in either office, so whatever configuration I need to do
must be done only on the firewalls

Thanks very much in advance.

 

pixA(conf)# access-l no_nat p ip any 10.0.0.0 255.0.0.0
pixA(conf)# access-l no_nat p ip any 172.16.0.0 255.240.0.0
pixA(conf)# access-l no_nat p ip any 192.168.0.0 255.255.0.0

pixA(conf)# nat (inside) 0 no_nat
pixA(conf)# nat (dmz) 0 no_nat

pixA(conf)# access-l vpn p ip 10.10.0.0 255.255.0.0 10.11.0.0 255.255.0.0
pixA(conf)# access-l vpn p ip 10.10.0.0 255.255.0.0 172.21.0.0 255.255.255.0
pixA(conf)# access-l vpn p ip 172.20.0.0 255.255.255.0 10.11.0.0 255.255.0.0
pixA(conf)# access-l vpn p ip 172.20.0.0 255.255.255.0 172.21.0.0 255.255.255.0

pixA(conf)# crypto map branch match address vpn

pixB vice versa

pixB(conf)# access-l from_outside perm ip 10.10.0.0 255.255.0.0 any

pixB(conf)# access-l from_dmz p ip 172.20.0.0 255.255.255.0 172.21.0.0 255.255.255.0

pixB(conf)# access-l from_inside p ip any 172.21.0.0 255.255.255.0

pixB(conf)# access-l from_outside d ip 10.10.0.0 255.255.0.0 10.11.0.0 255.255.0.0

Your turn.

pixB(conf)# access-g from_inside in interface inside
....

 

I am afraid this configuration doesnt work. I am still able to
establish connnections bidirectionally from the DMZ of either office to
the inside. It seems that the vpn access lists take precedence over the
interface access lists. It seems to me that some natting is required,
although I dont know how this would work. What I would like is that
an inside host in office A, can connect to a DMZ server in office B.
But no server in the DMZ of office B should be allowed to initiate a
connection with any host in the inside of office A. (and visa versa)

 

Of course. I provided a sketch of the necessary configuration. You have to
complete your configuration from this sketch.

 

actually your configuration does work - after I re-read my post I
realized that what the problem is - the vpn traffic was taking
precedence over the ACL traffic - so I needed to do a "no sysopt
connection ipsec" - which doesn't bypass the ACL. After that your
example worked very well.
Thank you!