PIX 525 Firewall guest dmz needs vpn access to internal

Posted on 2006-04-20
Last Modified: 2013-11-16
I have a PIX 525 Firewall with inside interaces, outside interface, then my DMZ interface for my webservers, and 4th interface as my guest network, which is dhcp allowing users connected to it access to the internet only!  From time to time we have internal users using this guest network but they also need to vpn into the internal network to access things on the inside using cisco vpn client, my PIX is also my VPN end point, the outside interface is what accepts these requests.  Is there a way to allow those clients on the guest network dmz to vpn into the internal network on the same device?
Question by:Andres Perales
    LVL 9

    Expert Comment

    That is what we are trying to get done on the following thread.

    It should work the same way as you have it terminating on the outside interface. DMZ is still in a lower security level
    after all.
    LVL 79

    Accepted Solution

    >my PIX is also my VPN end point, the outside interface is what accepts these requests
    Just enable isakmp on the dmz interface as well as the outside, and apply the crypto map to the dmz interface

    isakmp enable outside
    isakmp enable dmz

    crypto map mymap interface outside
    crypto map mymap interface dmz

    You could create a separate dynmap crypto map for the dmz, but I don't think you have to. You can use the same ip pool and therefore all the other parameters are the same regardless of whether you attach from the outside or from the dmz.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Suggested Solutions

    Title # Comments Views Activity
    ASA Objects for Non Standard Ports 42 76
    WLC and port fast. 1 42
    Cisco stacked switches monitoring 4 38
    azure vpn connection 2 22
    This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now