?
Solved

DMZ to Remote Site acess

Posted on 2011-05-11
3
Medium Priority
?
471 Views
Last Modified: 2012-06-22
in our netowrk we had site 1 connect to site 2 and all teh rules where fine. For supoprt of anoteh configuration we had to create a DMZ in Site 1 to seperate out a different ip addres range. We then created rules on teh DMZ interface to allow access back to Site 2 ( our home site )  but we cannot contact site two with these rsules.

We wodul expect them to work and have siimloar rules conencting anotehr DMZ to a remote Site, so i believe it may be somethign simple we have overlooked

Site 1 and site 2 -  Pix 515E
DMZ address  192.168.100.0  255.255.255.0
Site 1 Internal Network 10.2.0.0 255.255.255.0
site 2 Network 172.16.0.0  255.255.0.0

Rules applied to DMZ Interface in site 1

access-list acl_dmz permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list outside_cryptomap_40 permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.0.0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
access-list dmz_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.0.0
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer remote_Peer
crypto map outside_map 40 set transform-set "removed"


Any Help would be appreciated.
We were also considering if it is possble to not have accesslists on teh dmz, and simply allow all teh traffic into the firewall and apply teh rules on the outside interface instead

Regards, Alan.
0
Comment
Question by:Singnetsvc
3 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 35740029
This looks right to me.  What does site 2's config look like?  IPSec's a 2-way street.  ;-)
0
 
LVL 3

Author Comment

by:Singnetsvc
ID: 35744839
A simple Binding

access-list acl_inside permit ip 172.16.0.0 255.255.0.0 192.168.100.0 255.255.255.0
access-list outside_cryptomap_320 permit ip 172.16.0.0 255.255.0.0 192.168.100.0 255.255.255.0
nat (inside) 1 172.16.0.0 255.255.0.0 0 0
crypto map outside_map 320 ipsec-isakmp
crypto map outside_map 320 match address outside_cryptomap_320
crypto map outside_map 320 set peer remote_peer2
crypto map outside_map 320 set transform-set "removed"

We also did a simple routing test internally in site 1 as follows

name 192.168.100.100 DMZ_TST
name 10.2.0.249 INT_TST  
access-list acl_inside permit ip any host INT_TST
no access-list acl_dmz permit ip host DMZ_TST any
static (dmz,inside) INT_TST DMZ_TST netmask 255.255.255.255 0 0  

we were able to ping the 10.2.0.249 from the internal network in site 1, and we got reply back with hostname of the test machine in the dmz. so the static routing locally worked, so we tried pinging from site 2 and again it woould not work. I am not sure if thisi would work, theoretically it should but worth a try.

Regards, Alan
0
 
LVL 14

Accepted Solution

by:
anoopkmr earned 2000 total points
ID: 35769007
at site2 nat 0 exists or missed while pasting .?
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month14 days, 2 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question