Solved: Question on static routes in a site to site vpn

gabebrooks · ‎02-15-2012

Sorry in advance for the noob question.

I have two networks, 192.168.10.0 is mine and 192.168.0.0 is my partner's. We are connected by a site to site vpn and do not nat between these subnets. I have recently needed to add a server to my dmz on a different subnet, 192.168.11.0. This is an application server and it needs to pick up a license from the 192.168.0.0 network.

I see this route listed in my firewall, which I am assuming is so that my lan side and their lan side can talk.

T1

192.168.0.0

255.255.255.0

(public ip of the wan side of my gateway)

1

None

So for me to access 192.168.0.0 from my dmz ... I'm unsure... From the LAN to the WAN to the other network seems clear. Is it just that the DMZ needs to be configured to use this same route, or do I need to add another?

Neeraj Arora · ‎02-15-2012

Gabriel,

The route towards the remote subnet 192.168.0.0/24 would be used by default, you don't have to configure anything for the routing but you need to make modifications in the Crypto ACL to allow your new DMZ subnet to use the IPSEC tunnel. And same has to be done on the other end as well i.e add another statement allowing remote subnet as source and your DMZ as destination.

For eg:

In your ASA Firewall:

access-list tunnelacl extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list tunnelacl extended permit ip 192.168.11.0 255.255.255.0 192.168.0.0 255.255.255.0

In remote end ASA Firewall (a mirror image of the above ACL):

access-list tunnelacl extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list tunnelacl extended permit ip 192.168.0.0 255.255.255.0 192.168.11.0 255.255.255.0

Hope this helps

Neeraj

View solution in original post

Neeraj Arora · ‎02-15-2012