From: Gustavo Novais (gustavo.novais@novabase.pt)
Date: Thu Jul 19 2007 - 11:12:31 ART
Hi,
Thanks for your reply, the thing is that my customer has some particular
constraints. For me the easiest solution would be to static nat their
outside interface and through NAT-T terminate the tunnel on the outside.
But their company has some strict separations between security guys and
routing/switching guys, so they don't want routers doing NAT or
terminating VPNs for some strange reason.
Although the SAFE blueprint is in deed worth looking at.
If anybody has any ideas whether this is possible, please do tell. Until
now all my tests were not successful.
Thanks
Gustavo Novais
-----Original Message-----
From: Patrick Galligan [mailto:pgalligan@gmail.com]
Sent: quinta-feira, 19 de Julho de 2007 11:09
To: Gustavo Novais
Subject: Re: PIX/ASA Tunnel terminating on not directly facing
interface.
On 7/19/07, Gustavo Novais <gustavo.novais@novabase.pt> wrote:
>
> Is it possible for me to terminate a tunnel on a DMZ interface on the
> ASA, but with the traffic coming from the outside network?
>
I don't think this is possible. However, I haven't touched a PIX/ASA
since I started this job about a year ago so perhaps new versions will
allow it. PIX was always more restrictive when it came to talking to
its interfaces, especially from a different security level.
Any reason why you aren't considering an IOS router to terminate the
tunnel in the DMZ? This was Cisco recommended practise last time I
read the SAFE blueprints (which was not recently).
-- You can't cheat death forever, but you can make the b!stard work for it.
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:41 ART