DMZ to Remote Site acess

Posted on 2011-05-11
Last Modified: 2012-06-22
in our netowrk we had site 1 connect to site 2 and all teh rules where fine. For supoprt of anoteh configuration we had to create a DMZ in Site 1 to seperate out a different ip addres range. We then created rules on teh DMZ interface to allow access back to Site 2 ( our home site )  but we cannot contact site two with these rsules.

We wodul expect them to work and have siimloar rules conencting anotehr DMZ to a remote Site, so i believe it may be somethign simple we have overlooked

Site 1 and site 2 -  Pix 515E
DMZ address
Site 1 Internal Network
site 2 Network

Rules applied to DMZ Interface in site 1

access-list acl_dmz permit ip
access-list outside_cryptomap_40 permit ip
nat (dmz) 0 access-list dmz_outbound_nat0_acl
access-list dmz_outbound_nat0_acl permit ip
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer remote_Peer
crypto map outside_map 40 set transform-set "removed"

Any Help would be appreciated.
We were also considering if it is possble to not have accesslists on teh dmz, and simply allow all teh traffic into the firewall and apply teh rules on the outside interface instead

Regards, Alan.
Question by:Singnetsvc
    LVL 18

    Expert Comment

    This looks right to me.  What does site 2's config look like?  IPSec's a 2-way street.  ;-)
    LVL 3

    Author Comment

    A simple Binding

    access-list acl_inside permit ip
    access-list outside_cryptomap_320 permit ip
    nat (inside) 1 0 0
    crypto map outside_map 320 ipsec-isakmp
    crypto map outside_map 320 match address outside_cryptomap_320
    crypto map outside_map 320 set peer remote_peer2
    crypto map outside_map 320 set transform-set "removed"

    We also did a simple routing test internally in site 1 as follows

    name DMZ_TST
    name INT_TST  
    access-list acl_inside permit ip any host INT_TST
    no access-list acl_dmz permit ip host DMZ_TST any
    static (dmz,inside) INT_TST DMZ_TST netmask 0 0  

    we were able to ping the from the internal network in site 1, and we got reply back with hostname of the test machine in the dmz. so the static routing locally worked, so we tried pinging from site 2 and again it woould not work. I am not sure if thisi would work, theoretically it should but worth a try.

    Regards, Alan
    LVL 14

    Accepted Solution

    at site2 nat 0 exists or missed while pasting .?

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
    Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now