• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 537
  • Last Modified:

Site to Site VPN with access to remote DMZs (Cisco PIX515)

Hi all,

I have a site to site VPN, with site A being 172.16.1.x and site B being 172.16.2.x. This is between a pair of Cisco 515Es with 4 port DMZ cards in each.

Site B also has DMZs 192.168.1.x, 192.168.2.x, 192.168.3.x and 192.168.4.x.

The site to site VPN works as expected, but I would like users in site A to be able to reach services in site B's DMZs, I'm just using a host in 192.168.1.x for testing.

I've added the following to site A's nonat and VPN ACLs:

access-list nonat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

I see the hit counts for these rules increment as I attempt to access the test service.

At site B I've then added access for site A's hosts to reach the DMZ hosts

access-list insidein permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq https

But never see this hit counter increment when I request an HTTPS page from a host in DMZ1.

What rule have I missed?

Many thanks.
0
Rhubarb
Asked:
Rhubarb
  • 2
1 Solution
 
stressedout2004Commented:
You have to do two things:

1) Modify the match address for the VPN on *both* sides not only on one site.

e.g.

Site A:

access-list 101 permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list 101 permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto map siteA 10 match address 101


Site B:

access-list 101 permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
crypto map siteB 10 match address 101

2) You should add another access-list entry for the NAT 0 on Site A to include the 192.168.1.0/24 subnet.

e.g

access-list nonat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

3) On site B, you will need to create a separate access-list entry for the NAT 0 applied on the interface where the actual 192.168.1.0/24 is located. For illustration purposes, lets say that 192.168.1.0/24 is actually on the interface named dmz1 on PIX B. Then you will need to add:

e.g

access-list dmz1_nonat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (dmz1) 0 access-list dmz1_nonat

So on your Site B, you will actually have two nat 0 lines, one for the inside network 172.16.2.0/24 and one for the dmz.

e.g

access-list inside_nonat permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list dmz1_nonat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (inside) 0 access-list inside_nonat
nat (dmz1) 0 access-list dmz1_nonat


Regarding the acl "access-list insidein" which interface is it applied on?








0
 
RhubarbAuthor Commented:
Thanks for the help - I'm out the office now until tomorrow so there will be a short delay in testing it - sorry, will keep you posted.

Regarding your question, insidein is applied to the internal interface.
0
 
RhubarbAuthor Commented:
Many thanks, I was missing just the acl 101 for the site B end of the tunnel.

A perfect answer and really clear, thanks again.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now