DMZ to Remote Site acess

Posted on 2011-05-11
Medium Priority
Last Modified: 2012-06-22
in our netowrk we had site 1 connect to site 2 and all teh rules where fine. For supoprt of anoteh configuration we had to create a DMZ in Site 1 to seperate out a different ip addres range. We then created rules on teh DMZ interface to allow access back to Site 2 ( our home site )  but we cannot contact site two with these rsules.

We wodul expect them to work and have siimloar rules conencting anotehr DMZ to a remote Site, so i believe it may be somethign simple we have overlooked

Site 1 and site 2 -  Pix 515E
DMZ address
Site 1 Internal Network
site 2 Network

Rules applied to DMZ Interface in site 1

access-list acl_dmz permit ip
access-list outside_cryptomap_40 permit ip
nat (dmz) 0 access-list dmz_outbound_nat0_acl
access-list dmz_outbound_nat0_acl permit ip
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer remote_Peer
crypto map outside_map 40 set transform-set "removed"

Any Help would be appreciated.
We were also considering if it is possble to not have accesslists on teh dmz, and simply allow all teh traffic into the firewall and apply teh rules on the outside interface instead

Regards, Alan.
Question by:Singnetsvc
LVL 18

Expert Comment

ID: 35740029
This looks right to me.  What does site 2's config look like?  IPSec's a 2-way street.  ;-)

Author Comment

ID: 35744839
A simple Binding

access-list acl_inside permit ip
access-list outside_cryptomap_320 permit ip
nat (inside) 1 0 0
crypto map outside_map 320 ipsec-isakmp
crypto map outside_map 320 match address outside_cryptomap_320
crypto map outside_map 320 set peer remote_peer2
crypto map outside_map 320 set transform-set "removed"

We also did a simple routing test internally in site 1 as follows

name DMZ_TST
name INT_TST  
access-list acl_inside permit ip any host INT_TST
no access-list acl_dmz permit ip host DMZ_TST any
static (dmz,inside) INT_TST DMZ_TST netmask 0 0  

we were able to ping the from the internal network in site 1, and we got reply back with hostname of the test machine in the dmz. so the static routing locally worked, so we tried pinging from site 2 and again it woould not work. I am not sure if thisi would work, theoretically it should but worth a try.

Regards, Alan
LVL 14

Accepted Solution

anoopkmr earned 2000 total points
ID: 35769007
at site2 nat 0 exists or missed while pasting .?

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month14 days, 2 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question