Allow DMZ to access second IPsec site



  • My knowledge of NAT and VIPs is somewhat limited so maybe what I'm hoping they can do isn't even a thing so feel free to turn me around and give me a simple "no". :)

    Is there a way to allow a server located in a DMZ to access a device located on the other side of an IPsec tunnel without having to add a Phase 2 on both sides ?

    LAN: 192.168.100.0/24
    DMZ: 10.0.66.0/24
    Remote LAN: 192.168.200.0/24

    Server: 10.0.66.10
    Printer: 192.168.200.30

    Can NAT somehow make the server (DMZ) IP 10.0.66.10 to look like it's coming from 192.168.100.199 so it then can go through the tunnel's existing Phase 2 and ping/send jobs to a printer on the remote side ?



  • @PL-EPI said in Allow DMZ to access second IPsec site:

    without having to add a Phase 2 on both sides ?

    Why not? That's the proper way to go.

    If you're are not able to add a second phase 2 you can try to cover both, LAN and DMZ, with only one.
    E.g. change the DMZ network to 192.168..101.0/24 and the phase 2 to 192.168.100.0/23.



  • I do have it set up with a second Phase 2. I just thought there could be a better way to achieve the same result without having to go through each of the sites and adding a P2.


Log in to reply