Linksys to Pix ipsec tunnel, allowing access to both dmz and inside

[jpp]

Greetings:

Environment:

Pix at headquarters. Pix has DMZ 192.168.0.x and INSIDE 192.168.99.x networks

Linksys vpn routers in satellite offices.
I'll use two example satellite offices:
one at 192.168.33.x
another at 192.168.58.x

IPSEC tunnel between Pix and each Linksys.


Question:

I want the satellite office machines to be able to get to machines on both the headquarters DMZ network and the INSIDE network, via the vpn.

Whats the best way to set this up?

I've been told to take this approach:
on the Pix, use this ACL for the tunnels:
access-list VPN-ACL permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

this works fine for my first vpn tunnel, e.g. a 192.168.33.x can talk to both DMZ and INSIDE machines.
However, I am about to add the next tunnel, between the Pix and the 192.168.58.x linksys - and I am wondering....
How will the Pix know which peer to send packets to if the ACL is referring to "all" the 192.168.x.x networks ?
e.g if a packet is meant for 192.168.33.44, how will the Pix know to send it via the 192.168.33.x tunnel ?

thanks.

 

[308win]

3 separate ACL's

one like you have use for for NAT 0
then one each for each VPN

like this example

access-list acl-to-aurora permit ip net-peoria 255.255.255.0 net-aurora 255.255.255.0
access-list acl-to-lafayette permit ip net-peoria 255.255.255.0 net-lafayette 255.255.255.0
access-list acl-nat-inside permit ip net-peoria 255.255.255.0 net-192-privates 255.255.0.0

nat (inside) 0 access-list acl-nat-inside

isakmp key ******** address pix-outside-aur netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address pix-outside-laf netmask 255.255.255.255 no-xauth no-config-mode

Brian

 

[jpp]

thanks Brian.

The Pix is not doing NAT, our router is.
So would this fact affect the NAT statement and the ACL's that you suggested?