https://community.cisco.com/t5/network-security/site-to-site-vpn-not-working-for-dmz/m-p/2051207#M398903 <P>Hi,</P><P></P><P>im setting up an ASA 5510 and i have set up a VPN tunnel to our hosting partner. The tunnel is set up exactly as it was on our old firewall and the tunnel works when using the inside network. However when using DMZ1 and DMZ2 networks the tunnel does not work. As far as i see it everything is set up correctly.</P><P></P><P>Internal:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.42.10.0 255.255.255.0&nbsp;&nbsp;&nbsp;&nbsp; </P><P>DMZ1:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.42.1.0 255.255.255.0&nbsp;&nbsp;&nbsp; </P><P>DMZ2:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.42.2.0 255.255.255.0&nbsp;&nbsp;&nbsp; </P><P></P><P></P><P>Source of the tunnel is 10.42.0.0 255.255.0.0</P><P>As far as i know this should cover all the networks.</P><P></P><P>Any ideas why the tunnel is working fine with Internal but not the other networks?</P><P></P><P>/Hilmar</P> Mon, 11 Mar 2019 23:58:11 GMT IT Asitis 2019-03-11T23:58:11Z https://community.cisco.com/t5/network-security/site-to-site-vpn-not-working-for-dmz/m-p/2051207#M398903 <P>Hi,</P><P></P><P>im setting up an ASA 5510 and i have set up a VPN tunnel to our hosting partner. The tunnel is set up exactly as it was on our old firewall and the tunnel works when using the inside network. However when using DMZ1 and DMZ2 networks the tunnel does not work. As far as i see it everything is set up correctly.</P><P></P><P>Internal:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.42.10.0 255.255.255.0&nbsp;&nbsp;&nbsp;&nbsp; </P><P>DMZ1:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.42.1.0 255.255.255.0&nbsp;&nbsp;&nbsp; </P><P>DMZ2:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.42.2.0 255.255.255.0&nbsp;&nbsp;&nbsp; </P><P></P><P></P><P>Source of the tunnel is 10.42.0.0 255.255.0.0</P><P>As far as i know this should cover all the networks.</P><P></P><P>Any ideas why the tunnel is working fine with Internal but not the other networks?</P><P></P><P>/Hilmar</P> Mon, 11 Mar 2019 23:58:11 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-not-working-for-dmz/m-p/2051207#M398903 IT Asitis 2019-03-11T23:58:11Z https://community.cisco.com/t5/network-security/site-to-site-vpn-not-working-for-dmz/m-p/2051208#M398904 <HTML><HEAD></HEAD><BODY><P>can you pls post your config so we can look through the configuration.</P><P></P><P>Perhaps the NAT exemption has not been configured on DMZ1 and DMZ2?</P></BODY></HTML> Mon, 24 Sep 2012 12:43:25 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-not-working-for-dmz/m-p/2051208#M398904 Jennifer Halim 2012-09-24T12:43:25Z https://community.cisco.com/t5/network-security/site-to-site-vpn-not-working-for-dmz/m-p/2051209#M398905 <HTML><HEAD></HEAD><BODY><P> It is now attached</P><P></P><P>/H</P></BODY></HTML> Mon, 24 Sep 2012 13:23:30 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-not-working-for-dmz/m-p/2051209#M398905 IT Asitis 2012-09-24T13:23:30Z https://community.cisco.com/t5/network-security/site-to-site-vpn-not-working-for-dmz/m-p/2051210#M398906 <HTML><HEAD></HEAD><BODY><P>Which site-to-site vpn is affected?</P><P>The first one on the list only include 10.42.10.0/24 subnet:</P><P>access-list WAN1_cryptomap extended permit ip 10.42.10.0 255.255.255.0 object site-Asitis</P><P></P><P>Also, pls check if your access-list applied to both DMZ1 and 2 has included access to the remote end.</P></BODY></HTML> Mon, 24 Sep 2012 13:32:20 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-not-working-for-dmz/m-p/2051210#M398906 Jennifer Halim 2012-09-24T13:32:20Z https://community.cisco.com/t5/network-security/site-to-site-vpn-not-working-for-dmz/m-p/2051211#M398907 <HTML><HEAD></HEAD><BODY><P> That i should have mentioned it is the other tunnel we are talking about TDCH_LAN1 and TDCH_LAN2.</P><P></P><P>The other one is not an issue at the moment.</P><P></P><P>/Hilmar</P></BODY></HTML> Mon, 24 Sep 2012 13:34:58 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-not-working-for-dmz/m-p/2051211#M398907 IT Asitis 2012-09-24T13:34:58Z https://community.cisco.com/t5/network-security/site-to-site-vpn-not-working-for-dmz/m-p/2051212#M398908 <HTML><HEAD></HEAD><BODY><P>Pls remove the following 2 routes:</P><P></P><P>route WAN1 10.91.70.0 255.255.254.0 213.174.91.3 10</P><P>route WAN1 10.91.72.0 255.255.254.0 213.174.91.3 10</P><P></P><P>After removing the above 2, pls kindly share the output of"</P><P>show cry ipsec sa</P></BODY></HTML> Mon, 24 Sep 2012 13:40:29 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-not-working-for-dmz/m-p/2051212#M398908 Jennifer Halim 2012-09-24T13:40:29Z https://community.cisco.com/t5/network-security/site-to-site-vpn-not-working-for-dmz/m-p/2051213#M398909 <HTML><HEAD></HEAD><BODY><P> Ok i think i have fixed it. </P><P></P><P>You said&nbsp; "Perhaps the NAT exemption has not been configured on DMZ1 and DMZ2?" it was only configured for Internal. </P><P>I added this for dmz1 and dmz2 and now i am able to talk to servers on the other end. </P><P></P><P>Great tip by the way <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>One thing i noticed was that there is no access rule for internal ( i think that the tunnel should bypass access rules ) can you confirm that this is not needed at all?</P><P></P><P>/H</P></BODY></HTML> Mon, 24 Sep 2012 13:47:19 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-not-working-for-dmz/m-p/2051213#M398909 IT Asitis 2012-09-24T13:47:19Z https://community.cisco.com/t5/network-security/site-to-site-vpn-not-working-for-dmz/m-p/2051214#M398910 <HTML><HEAD></HEAD><BODY><P>Correct, if you don't have any access rule configured on internal interface, by default the traffic from internal going outbound will be allowed. And for VPN tunnel, traffic from remote LAN towards internal LAN will also be allowed.</P></BODY></HTML> Mon, 24 Sep 2012 13:54:32 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-not-working-for-dmz/m-p/2051214#M398910 Jennifer Halim 2012-09-24T13:54:32Z https://community.cisco.com/t5/network-security/site-to-site-vpn-not-working-for-dmz/m-p/2051215#M398911 <HTML><HEAD></HEAD><BODY><P> Ok</P><P></P><P>Thanks for your help Jennifer.</P><P></P><P>/Hilmar</P></BODY></HTML> Mon, 24 Sep 2012 13:57:11 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-not-working-for-dmz/m-p/2051215#M398911 IT Asitis 2012-09-24T13:57:11Z