Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1197
Views
0
Helpful
8
Replies

Site to site VPN not working for DMZ

Go to solution
IT Asitis
Level 1
Level 1

‎09-24-2012 05:29 AM - edited ‎03-11-2019 04:58 PM

Hi,

im setting up an ASA 5510 and i have set up a VPN tunnel to our hosting partner. The tunnel is set up exactly as it was on our old firewall and the tunnel works when using the inside network. However when using DMZ1 and DMZ2 networks the tunnel does not work. As far as i see it everything is set up correctly.

Internal:      10.42.10.0 255.255.255.0    

DMZ1:        10.42.1.0 255.255.255.0   

DMZ2:        10.42.2.0 255.255.255.0   

Source of the tunnel is 10.42.0.0 255.255.0.0

As far as i know this should cover all the networks.

Any ideas why the tunnel is working fine with Internal but not the other networks?

/Hilmar

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-24-2012 05:43 AM

can you pls post your config so we can look through the configuration.

Perhaps the NAT exemption has not been configured on DMZ1 and DMZ2?

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-24-2012 05:43 AM

can you pls post your config so we can look through the configuration.

Perhaps the NAT exemption has not been configured on DMZ1 and DMZ2?

0 Helpful

Go to solution
IT Asitis
Level 1
Level 1
In response to Jennifer Halim

‎09-24-2012 06:23 AM

It is now attached

/H

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to IT Asitis

‎09-24-2012 06:32 AM

Which site-to-site vpn is affected?

The first one on the list only include 10.42.10.0/24 subnet:

access-list WAN1_cryptomap extended permit ip 10.42.10.0 255.255.255.0 object site-Asitis

Also, pls check if your access-list applied to both DMZ1 and 2 has included access to the remote end.

0 Helpful

Go to solution
IT Asitis
Level 1
Level 1
In response to Jennifer Halim

‎09-24-2012 06:34 AM

That i should have mentioned it is the other tunnel we are talking about TDCH_LAN1 and TDCH_LAN2.

The other one is not an issue at the moment.

/Hilmar

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to IT Asitis

‎09-24-2012 06:40 AM

Pls remove the following 2 routes:

route WAN1 10.91.70.0 255.255.254.0 213.174.91.3 10

route WAN1 10.91.72.0 255.255.254.0 213.174.91.3 10

After removing the above 2, pls kindly share the output of"

show cry ipsec sa

0 Helpful

Go to solution
IT Asitis
Level 1
Level 1
In response to Jennifer Halim

‎09-24-2012 06:47 AM

Ok i think i have fixed it.

You said  "Perhaps the NAT exemption has not been configured on DMZ1 and DMZ2?" it was only configured for Internal.

I added this for dmz1 and dmz2 and now i am able to talk to servers on the other end.

Great tip by the way

One thing i noticed was that there is no access rule for internal ( i think that the tunnel should bypass access rules ) can you confirm that this is not needed at all?

/H

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to IT Asitis

‎09-24-2012 06:54 AM

Correct, if you don't have any access rule configured on internal interface, by default the traffic from internal going outbound will be allowed. And for VPN tunnel, traffic from remote LAN towards internal LAN will also be allowed.

0 Helpful

Go to solution
IT Asitis
Level 1
Level 1

‎09-24-2012 06:57 AM

Ok

Thanks for your help Jennifer.

/Hilmar

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card