configuration access

[mimmo85]

HI,
I have a problem with a firewall, I made a vpn lan to lan, the first LAN has a DMZ. From the second lan not reach the DMZ of the first lan.
is there any particular setting?
i have enable icmp trace on second FW. but i not see ping fron server on first lan.

 

[unclerico]

you need to make sure that the DMZ subnet is included in the cryto ACL's of both devices

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[mimmo85]

the dmz subnet is inclued in acl, but i have included in the next time, is correct? or i do remake all crypto?

 

[unclerico]

can you post your crypto acl's from both devices??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[mimmo85]

FW1

access-list 130 extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 130 extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0

FW2

access-list 110 extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 110 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0


LAN1 192.168.10.0
DMZ 192.168.20.0

LAN2 192.168.1.0

 

[mimmo85]

LAN1 TO LAN2 WORK CORECTLY

 

[unclerico]

next thing to look at is whether the 192.168.1/24 subnet is included in either a nat exemption polity or identity nat to access the dmz. can you post the configuration for FW1??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)