Hello,
I have a PIX with 3 interfaces, one outside, one VPN DMZ and one
inside interface.
My network is using class A address of 10.0.0.0/8 with various
netmasks.
My dedicated VPN encryptor sits on the VPN DMZ network of this PIX and
establishes VPN connections to a couple of remote sites and those
remote sites users need to access outside and inside networks. But I
do not need any access from outside network to VPN DMZ network. Also,
users on the inside network need to access outside and VPN DMZ
networks.
Here are a couple of questions.
| Outside (0) 210.18.54.0/24
| (Internet)
| /Remote
VPN sites
| /
| /
--------- (172.16.1.0/24) ___________/__
| PIX |---------VPN DMZ----------|VPN Encryptor|
--------- (Security Level 50) -----------\---
| \
| \Remote
VPN sites
| Inside ( 100 ) 10.0.0.0/0
nat 1 ( inside ) 0 0
global 1 (outside) 210.18.54.10-210.18.54.19 netmask 255.255.255.0
Static (Inside, VPN-DMZ) 10.114.2.0 10.114.2.0 255.255.252.0
1. Is there any way for users on the inside network to access VPN DMZ
network?
( I need to configure this PIX to allow users on the inside network to
communicate with users on the VPN DMZ without NATTing)
2. Is there any way for users on the VPN DMZ to access inside network?
( I need to configure this PIX to allow users on the VPN DMZ to
communicate with users on the Inside network without NATTing)
I used static command to accomplish this goal but the result is a
little bit strange to me. when I did tracert from a host on VPN remote
sites to a host on inside network, I received all the same IP address
as the traceroute went every next router.
I had expected each different IP addresses for each netx hop router
but the result was different from one I expected.
for example
tracert 10.10.10.10
Result)
10.10.10.10 10ms 10ms 10ms
10.10.10.10 30ms 32ms 31ms
10.10.10.10 41ms 41ms 42ms
traceroute completed
Thank you in advance
