Allow DMZ to access second IPsec site
My knowledge of NAT and VIPs is somewhat limited so maybe what I'm hoping they can do isn't even a thing so feel free to turn me around and give me a simple "no". :)
Is there a way to allow a server located in a DMZ to access a device located on the other side of an IPsec tunnel without having to add a Phase 2 on both sides ?
Remote LAN: 192.168.200.0/24
Can NAT somehow make the server (DMZ) IP 10.0.66.10 to look like it's coming from 192.168.100.199 so it then can go through the tunnel's existing Phase 2 and ping/send jobs to a printer on the remote side ?
without having to add a Phase 2 on both sides ?
Why not? That's the proper way to go.
If you're are not able to add a second phase 2 you can try to cover both, LAN and DMZ, with only one.
E.g. change the DMZ network to 192.168..101.0/24 and the phase 2 to 192.168.100.0/23.
I do have it set up with a second Phase 2. I just thought there could be a better way to achieve the same result without having to go through each of the sites and adding a P2.