cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
762
Views
0
Helpful
2
Replies

IPSEC Site-to-site tunnel is up and passing traffic between the 192.168.x.x subnets, but not the DMZ subnet.

Jesserony
Level 1
Level 1

Hello,

I have created an IPSEC Site to Site tunnel between an ASA 5506 in Singapore and an ASA 5505 in New York.
I would like our Singapore network (192.168.192.0 /24) to be able to communicate with two subnets in New York, our internal subnet (192.168.170.0 /24) and our DMZ (172.20.43.0 /24). The DMZ is configured on an ASA 5516 connected to the ASA 5505 through a 9300 series switch at the New York site.

The tunnel is up and passing traffic between the 192.168.x.x subnets, but not the DMZ subnet.

The ASA 5505 in New York (192.168.170.26) is able to ping hosts in the DMZ.

To try and rule out access rules, i created test rules at the top of the ACL for each interface on ASA 5516, allowing Any ICMP to the target DMZ server, but didnt make a difference.

Before i continue troubleshooting i was wondering if there is some obvious thing to do. I searched the internet and found some peoples answers to this problem involve NAT rules, but i am not sure if that is the answer and the 5516 is a production ASA that i am afraid to "try a bunch of things" on...

 

Attaching snipped/censored configs.

 

Thank you in advance for any advice!

Jesse

1 Accepted Solution

Accepted Solutions

ilay
VIP
VIP

I think you need to configure NAT exemption for the address group of CoLo_DMZ on NY-ASA5505.

The current configuration is already included in your internal subnet(192.168.17.0/24). You only need to add the dmz address. Or use "local-Singapore" to replace the existing "CoLo_Inside" configuration.

 

config example:(You can choose either of them

1.> Add CoLo_DMZ NAT Exemption: 

nat (inside,outside) source static CoLo_DMZ CoLo_DMZ destination static Remote_Singapore Remote_Singapore no-proxy-arp route-lookup

2.> Replace "CoLo_Inside" with "local-Singapore" object group

no nat (inside,outside) source static CoLo_Inside CoLo_Inside destination static Remote_Singapore Remote_Singapore no-proxy-arp route-lookup

nat (inside,outside) source static local-Singapore local-Singapore destination static Remote_Singapore Remote_Singapore no-proxy-arp route-lookup

 

View solution in original post

2 Replies 2

ilay
VIP
VIP

I think you need to configure NAT exemption for the address group of CoLo_DMZ on NY-ASA5505.

The current configuration is already included in your internal subnet(192.168.17.0/24). You only need to add the dmz address. Or use "local-Singapore" to replace the existing "CoLo_Inside" configuration.

 

config example:(You can choose either of them

1.> Add CoLo_DMZ NAT Exemption: 

nat (inside,outside) source static CoLo_DMZ CoLo_DMZ destination static Remote_Singapore Remote_Singapore no-proxy-arp route-lookup

2.> Replace "CoLo_Inside" with "local-Singapore" object group

no nat (inside,outside) source static CoLo_Inside CoLo_Inside destination static Remote_Singapore Remote_Singapore no-proxy-arp route-lookup

nat (inside,outside) source static local-Singapore local-Singapore destination static Remote_Singapore Remote_Singapore no-proxy-arp route-lookup

 

I chose option 2, and it worked!!! Thank you so much, you saved me a huge headache. I was really thinking the problem was on our 5516, which i did not want to touch! You are great!