cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1996
Views
0
Helpful
2
Replies

Access server in DMZ over site-to-site VPN

stomp-cisco
Level 1
Level 1

Hi everybody. 

I have a site-to-site IPSec vpn tunnel between two ASA 5505 boxes running 8.4 and I have a few questions.  The tunnel works fine, though only in one direction for some reason, but I cannot get to a server in the DMZ on the far side of the tunnel. 

Explaining further, from SiteA I can remote desktop into a server at SiteB without any problem, but I cannot reach another server in the DMZ at SiteB.  The DMZ server is in it's own subnet of course, but can be reached from SiteB via remote desktop just fine.  Both ASA's are unlimited user security plus models.  I mention this because SiteA also has a DMZ and eventually I'll need to get to a server in SiteA's DMZ from SiteB, but for now, just from SiteA to SiteB's DMZ. 

So, in short, I want users in SiteA to be able to access a server in SiteB's DMZ.  The tunnel is between SiteA and SiteB and users in SiteA can currently access servers at SiteB.  It's access to the SiteB DMZ server that's not working.   Here are my questions...

1.  Is what I'm trying to do possible using an ASA (I've read yes and no because the ASA supposedly can't route even though RIP, OSPF and the like can be enabled) ?

2.  Assuming it's possible, don't I just need to add the DMZ network to the traffic list in the crypto map of SiteA (apparently not 'cause I've tried it)?

3.  Still assuming it's possible, what else might I need to do... NAT statement?  Access lists? 

4.  In order to get vpn traffic initiated from either side, SiteB towards SiteA, do I need to check the Reverse Route box and if so, on SiteA, SiteB or both?

Thanks for any help you might give.

-bp

2 Replies 2

elepon06
Level 1
Level 1

Add a policy on SiteB, by allowing the SiteA subnet to SiteB DMZ, then add "no NAT" on SiteB DMZ.

Thanks Eli.

Problem with that is SiteB_DMZ addresses try and go outside instead of over the tunnel.  When I add SiteB_DMZ subnet to the crypto map approved traffic list it still tries to go outside.  Any idea what I'm missing there?  Seems to me that once upon a time access lists were used to identify traffic bound for the tunnel, but this crypto map should do the same right?  Should have mentioned this as one of my questions.  Besides adding SiteB_DMZ subnet to the crypto map traffic selection, what else do I need to do to get SiteB_DMZ bound traffic to go across the tunnel.

By the way, I'm reading up on this and not just waiting for someone to solve my problem for me, but there's so much info and I don't have a test setup so everything is live and you know how fun that is.  Thanks again.