Site to Site VPN with access to remote DMZs (Cisco PIX515)
Posted on 2006-06-07
I have a site to site VPN, with site A being 172.16.1.x and site B being 172.16.2.x. This is between a pair of Cisco 515Es with 4 port DMZ cards in each.
Site B also has DMZs 192.168.1.x, 192.168.2.x, 192.168.3.x and 192.168.4.x.
The site to site VPN works as expected, but I would like users in site A to be able to reach services in site B's DMZs, I'm just using a host in 192.168.1.x for testing.
I've added the following to site A's nonat and VPN ACLs:
access-list nonat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
I see the hit counts for these rules increment as I attempt to access the test service.
At site B I've then added access for site A's hosts to reach the DMZ hosts
access-list insidein permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq https
But never see this hit counter increment when I request an HTTPS page from a host in DMZ1.
What rule have I missed?