Hi Jenn,

                 The VPN tunnel  is terminated at the vpn-remote router on dmz19(192.168.9.0/24). Only isakmp, esp and ah port are open on the ASA to allow traffric flow to the remote vpn-router.The original plan was all traffic come from the tunnel will floe to 192.168.9.0/ and will be routed trough 192.168.6.0/24 to the corporate network. I think that i will need to provide access to the DMZs(100,200,300) when I designed the network. AS per the diagram, when traffic pass the first ASA and get to the remote-vpn router through 192.168.9.0/24 and traffic is redirected to DMZ16 at 192.168.6.0/24 to the corporate Network at 10.10.0.0/16. Now VPN users can't access  DMZ100,200,300. I don't want to return any traffic to 192.168.9.0/24, I need traffic to keep going through the second ASA for double layer of security!

Now to acccomplish that, i know i need NAT in the second asa and routing to send traffic from 192.168.6.0/24 to the fisrt ASA.

Hopefully it is clearer now,

Jean Paul

Thank you very much. That makes a lot more sense now.

So looks like routing on both ASA as well as NAT exemption on the first ASA. As far as the first ASA is concern, all it sees are IPSec encrypted traffic, so it would not even aware of the clear text traffic between the VPN subnets when it first sees the ESP packet.

Say we are going to route the traffic this way:

On ASA2, you can route traffic towards DMZ subnets (100,200,300) via its interface that connects to dmz0 switch/router.

On dmz0 switch/router, you can route traffic towards DMZ subnets (100,200,300) to ASA1 inside interface.

On ASA1, you would need to configure the appropriate NAT exemption between the inside interface and the DMZ interfaces. On ASA1, you would also need configure routes towards the remote VPN subnets back towards its inside interface, routing it to ASA2.

Hope that helps.

Hi Jenn,

              Perfect that exactly the way i want and there is how i plan to config it. First of all, let me tell you that the ASA1,ASA2 and the inside-dmz0 router are in the same subnet.

ASA= 10.10.1.1

ASA2= 10.10.1.2

dmz0 router = 10.10.1.3

1. Since ASA1 and ASA   are on the same subnet, traffic from ASA2 can be router straight to ASA1 with a static route?

2. NAT Exempt in ASA1

Nat(dmz100) 0 192.168.100.0 255.255.255.0

Nat(dmz200) 0 192.168.200.0 255.255.255.0

Nat(dmz300) 0 192.168.300.0 255.255.255.0

3. ASA1 will need static routes to advertise 192.168.100.0-192.168.300.0/24 to ASA2?

4. A default route on the vpn-router pointed to 192.168.6.1/24 ?

That's how I see it. Simple,but should do the work... I think.

Any suggestions and comments are welcome....

Mercie,

Jean Paul from Paris,

1. Yes, you can configure static route to directly route between the 2 ASAs.

2. No, that is incorrect. Can you please advise what is the security level on ASA1 inside interface, and also DMZ 100, 200, 300 interfaces.

3. No, because you already configure static route on ASA2 to route DMZ subnets via ASA1 inside interface (as per point# 1 above).

4. No, on vpn-router, you would need to configure static route for DMZ 100, 200 and 300 subnet to point towards ASA2.

Hi Jenn,

                 ASA1 INSIDE = 100

                 dmz100=60

                 dmz200=50

                 dzm300=40

I figure that the NAT exempt need to be in ASA1 inside interface?

Thanks,

Jean Paul

Spot on...

Here is the format:

access-list nonat permit ip

access-list nonat permit ip

access-list nonat permit ip

...

...

--> you can add other remote-vpn-LAN or vpn client ip pool subnet accordingly to the ACL.

nat (INSIDE) 0 access-list nonat

Hope that helps.

Hi Jenn,

             Just to be sure this ACLs are to configured in ASA1 which is directly connected to DMZ100,200,3000?

Thanks,

Jean Paul

Correct.. that would be on ASA1.

I just revisited the diagram again, and just realized that you would also need to configure NAT as well on ASA2. What is the security level configured between the 2 interfaces where the traffic passes?

Hi Jenn,

             ASA2 only have two interface: the outside at 192.168.6.0/24 sec level 0 and the inside at 10.10.1.3 sec level 100.

Thanks,

Jean Paul

In that case, you would need to create the following NAT on ASA2:

access-list nonat permit ip

access-list nonat permit ip

access-list nonat permit ip

nat (inside) 0 access-list nonat

Plus you also need to configure ACL on ASA2 outside interface to allow the traffic inbound:

access-list outside_acl permit ip

access-list outside_acl permit ip

access-list outside_acl permit ip

access-group outside_acl in interface outside

Assuming that you should already have both ACL for NAT statement as well as ACL on the outside on ASA2 since the same would need to be applied for access to corporate network, just add into what has already been configured.