PIX-TO-PIX VPN AND DMZ ACCESS?? 2

[TRIG]

I need to set up a VPN IPSec based between a PIX 506 in a remote office (RO) and a PIX 515 with 3 interfaces in a central site (CS). I want to access from the remote office to either INSIDE and DMZ.
Could someone help me?

I was been able to establish the connection between RO INSIDE to CS INSIDE but not from RO INSIDE and CS DMZ.

The addresses are:

CS INSIDE = 192.168.10.0/24
CS DMZ = 192.168.20.0/24
CS OUTSIDE= 212.210.90.200/29

RO INSIDE = 192.168.1.0/24
RO OUTSIDE= 212.210.90.228/29

Thanx in advance

 

[yizhar]

HI.

Is seems like a nat or access-list issue but of course we can not tell you more with out the pix config.
Like with any pix problem, you must also use syslog messages to get more info.

You can use pixcript to generate a sample IPSEC configuration for your pix 515 box, then manually compare it to your existing config and check the differences.
Do NOT copy & paste the sample config to your existing one as manual line by line checkup is more suiteable in your case.

http://teachers.sivan.co.il/yizhar#pixcript

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Iota]

A partial config would help but... here's how it should be.

You should already have 2 access-lists that relate to the VPN connection (2 per pix)_.

The first access list is probably bound to nat 0 access-list <something> that tells the pix not to nat traffic destined for the remote vpn connection. You need to add the remote DMZ network to this access-list on your RO PIX.

Also, on you RO PIX, you should have an access-list bound to the VPN tunnel it self. You need to add the remote DMZ network to that access-list as well.

Let us know.

-Iota