I was working on a project to replace a firewall with a Cisco ASA 5510. ASA has an outside interface, inside interface and DMZ. Also there is a site-to-site VPN with another site configured on the ASA. All servers are dual homed, with one interface in the internal network and one in the dmz network. Remote clients were having some issues accessing servers in the DMZ even that the tunnel is up. All servers have their default gateway configured to point to the dmz interface of the ASA. I understand the problem was vpn clients are accessing the servers through the internal network, but the servers were routing the traffic back through the dmz interfaces rather than internal network. I've fixed this by adding static routes in the servers to route to the other site network through the internal network.
My question, will this work if I've added this route in the ASA? I mean was it only a routing issue? or it has something to do with the stateful inspection (or maybe asymmetric routing) where the TCP request and reply must be through the same interface? How come traffic is allowed to return to the remote site through the tunnel only from the internal interface of the ASA and not from the dmz interface?
Second question, in having a site-to-site vpn, how will the ASA know which network behind the remote site? will there be any route dynamically installed in the routing table of the ASA? although I issued the command "show route" and it didnt show the remote internal network, yet it can route the traffic correctly to it.
Thanks for the help in advance
If the ASA sends a packet via one interface it expects to receive it via that same interface (no support for Asymmetric routing).
For an ASA to know which network is behind a Site-to-Site tunnel, you need to define that network in the interesting traffic for VPN
and have a route to that network.
Normally you don't have a route to that network in the ASA because the default route takes care of it.
Hope it helps.
Thanks for your detail answer.
We had another issue for users in the internal network trying to access the websites hosted in the DMZ using their public IP/Hostnames. After so much troubleshooting, we added some NAT rules but most importantly we had to add the command "same-security-traffic permit intra-interface". Can I have more details about this command? and will disable it cause any security flaw?