10-09-2009 01:00 PM
So I've been scratching my head and I just can't visualize what I what and how I want to do this.
Here is the overview of my network:
Headquarters: ASA 5505
Site1 : ASA 5505
Site2 : ASA 5505
Site3 : ASA 5505
All Sites are connected L2L to the Headquarters location with Site-to-Site VPN.
From the HQ site I can ping each satellite location, and from each satellite location I can ping the HQ site. I will also mention that all other traffic also flows correctly.
Here is my issue: At the HQ site I have a DMZ configured with a mail/web server. This mail/web server is accessible from my HQ LAN but not from the satellite locations. I need to enable that.
What do I do?
My second issue is that I would like for the satellite sites to see eachother's networks. Would I have to create a VPN mesh between the sites, or can this be solved the same way as the DMZ issue?
I'm attaching the show run from my HQ ASA
Show run of HQ ASA
Solved! Go to Solution.
10-09-2009 01:42 PM
For the mail/web server that needs access over the VPN tunnels from the remote site, you need to add the servers to the crypto acl, similar to how you have it for the inside network. Make sure both sides have the mirrored acl's. If you are natting from the DMZ to the outside, make sure you create a nat exemption from the dmz to the outside for the VPN traffic.
For the second issue, because you just have three sites, I would recommend creating a site-to-site tunnel between the two satellite sites.
HTH
PS. if you found this post helpful, please rate it.
10-09-2009 01:42 PM
For the mail/web server that needs access over the VPN tunnels from the remote site, you need to add the servers to the crypto acl, similar to how you have it for the inside network. Make sure both sides have the mirrored acl's. If you are natting from the DMZ to the outside, make sure you create a nat exemption from the dmz to the outside for the VPN traffic.
For the second issue, because you just have three sites, I would recommend creating a site-to-site tunnel between the two satellite sites.
HTH
PS. if you found this post helpful, please rate it.
10-12-2009 06:26 AM
That's my problem. I just can't picture that and the "mirroring" of settings at the remote site.
I'll be honest with you, I'm doing all of this through ASDM. The only time I use CLI is for minor things.
For testing and lab purposes I have an additional T1 at our HQ office. To it I hooked up our old PIX 515 (upgraded to ASDM). I VPN-ed it into our HQ site ASA 5505, so it looks like another remote site. I'm using that connection to mess around with things during business hours.
I'm going to include "sh run"'s from both the HQ and my remote test site. If you could just point to me where i need to add these lines and in which order and what interface, I would most likely be able to figure it out then.
I really appreciate your help.
Thank you!
10-12-2009 12:35 PM
Thanks man. I should have read your message more carefully... I kept forgeting to exempt nattting back in from the DMZ...
It works now and I finally understand how this works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide