pix 525 6.3(5) site-to-site VPN with DMZ access

Discussion in 'Cisco' started by zacharydenison, Mar 17, 2006.

  1. I am trying to create a site to site vpn between 2 offices, lets call
    them Office A and Office B. Each office has an inside zone and a DMZ
    zone. Each office has a pix 525 with version 6.3(5) running on it. I am
    able to create tunnels so that inside A can access inside B, and DMZ A
    can access DMZ B - but I am unable to create the funtionality that I
    need. The following is what I would like to do.

    Connectivity Requirements:

    Inside of Office A can access BOTH inside and DMZ of Office B
    DMZ of Office A can ONLY access DMZ of Office B and NOT inside of
    Office B
    Inside of Office B can access Both inside and DMZ of Office A
    DMZ of Office B can ONLY access DMZ of Office A and not inside of
    Office A
    Inside of Office A can access DMZ of Office A
    Inside of Office B can access DMZ of Office B
    DMZ of Office A CANNOT access Inside of Office A
    DMZ of Office B CANNOT access Inside of Office B

    Specifics

    Office A:
    pix outside interface: 99.99.99.99
    pix DMZ interface: 10.10.1.1/16
    pix inside interface: 172.20.1.1/24

    Office B:
    pix outside interface: 100.100.100.100
    pix DMZ interface: 10.11.1.1/16
    pix inside interface: 172.21.1.1/24

    I have checked all the cisco web site examples, I cannot find a single
    example where they do something like that -- Normally we turn off
    natting for VPN, but I am assuming that here we need some kind of
    natting or patting, does anyone have an idea? Also I do not have access
    to the routers in either office, so whatever configuration I need to do
    must be done only on the firewalls

    Thanks very much in advance.
     
    zacharydenison, Mar 17, 2006
    #1
    1. Advertisements

  2. pixA(conf)# access-l no_nat p ip any 10.0.0.0 255.0.0.0
    pixA(conf)# access-l no_nat p ip any 172.16.0.0 255.240.0.0
    pixA(conf)# access-l no_nat p ip any 192.168.0.0 255.255.0.0

    pixA(conf)# nat (inside) 0 no_nat
    pixA(conf)# nat (dmz) 0 no_nat

    pixA(conf)# access-l vpn p ip 10.10.0.0 255.255.0.0 10.11.0.0 255.255.0.0
    pixA(conf)# access-l vpn p ip 10.10.0.0 255.255.0.0 172.21.0.0 255.255.255.0
    pixA(conf)# access-l vpn p ip 172.20.0.0 255.255.255.0 10.11.0.0 255.255.0.0
    pixA(conf)# access-l vpn p ip 172.20.0.0 255.255.255.0 172.21.0.0 255.255.255.0

    pixA(conf)# crypto map branch match address vpn

    pixB vice versa
    pixB(conf)# access-l from_outside perm ip 10.10.0.0 255.255.0.0 any
    pixB(conf)# access-l from_dmz p ip 172.20.0.0 255.255.255.0 172.21.0.0 255.255.255.0
    pixB(conf)# access-l from_inside p ip any 172.21.0.0 255.255.255.0
    pixB(conf)# access-l from_outside d ip 10.10.0.0 255.255.0.0 10.11.0.0 255.255.0.0
    Your turn.

    pixB(conf)# access-g from_inside in interface inside
    ....
     
    Lutz Donnerhacke, Mar 17, 2006
    #2
    1. Advertisements

  3. I am afraid this configuration doesnt work. I am still able to
    establish connnections bidirectionally from the DMZ of either office to
    the inside. It seems that the vpn access lists take precedence over the
    interface access lists. It seems to me that some natting is required,
    although I dont know how this would work. What I would like is that
    an inside host in office A, can connect to a DMZ server in office B.
    But no server in the DMZ of office B should be allowed to initiate a
    connection with any host in the inside of office A. (and visa versa)
     
    networksecurity, Mar 17, 2006
    #3
  4. Of course. I provided a sketch of the necessary configuration. You have to
    complete your configuration from this sketch.
     
    Lutz Donnerhacke, Mar 20, 2006
    #4
  5. actually your configuration does work - after I re-read my post I
    realized that what the problem is - the vpn traffic was taking
    precedence over the ACL traffic - so I needed to do a "no sysopt
    connection ipsec" - which doesn't bypass the ACL. After that your
    example worked very well.
    Thank you!
     
    networksecurity, Mar 23, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.