Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
881
Views
5
Helpful
3
Replies

Site-to-site VPN between inside and dmz interfaces

Go to solution
only.cisco
Level 1
Level 1

‎01-04-2022 06:08 PM - edited ‎01-04-2022 06:10 PM

I have a site-to-site VPN that's mostly working between two ASA 1010s. One is named Central and the other Remote.
ASA Remote has one outside interface and one inside interface. It has a network object named Remote_Inside that specifies the inside network: 192.168.19.0/24. It also has a group object named Remote_VPN that contains the Remote_Inside network object.


ASA Central has an outside and an inside interface, plus a dmz interface. It has a network object named Central_Inside that specifies the inside network: 192.168.75.0/24. It has another network object named Central_DMZ that specifies the dmz network: 192.168.53.0/24. Finally, it has a group object named Central_VPN that contains both the Central_Inside and Central_DMZ network objects.

 

ASA Remote's NAT rule is:
nat (inside,outside) source static Remote_VPN Remote_VPN destination static Central_VPN Central_VPN no-proxy-arp route-lookup

 

ASA Central's NAT rule is the opposite:
nat (inside,outside) source static Central_VPN Central_VPN destination static Remote_VPN Remote_VPN no-proxy-arp route-lookup

 

The two inside networks can talk to each other over the VPN, but Remote_Inside cannot talk to Central_DMZ and vice versa.

 

Do I need static routes somewhere to direct traffic from Remote_Inside to Central_DMZ and back?
Do I need ACLs to let Central_DMZ talk to Remote_Inside?
Do I need separate tunnels for Central_Inside and Central_DMZ?
Do I need separate NAT rules that mention "(dmz,outside)"?


I'm stumped so any help would be appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-04-2022 10:13 PM

Hi,

There is a config mistake. There is a nat inside,outside with Central_VPN.
This is at Central side. But your Central_VPN object has both inside and
dmz. So basically you are applying nat for dmz object on inside interface.

Remove this one.

nat (inside,outside) source static Central_VPN Central_VPN destination
static Remote_VPN Remote_VPN no-proxy-arp route-lookup

Use these two.

nat (inside,outside) source static Central_Inside Central_Inside destination
static Remote_VPN Remote_VPN no-proxy-arp route-lookup
nat (dmz,outside) source Central_DMZ Central_DMZ static destination static
Remote_VPN Remote_VPN no-proxy-arp route-lookup

**** please remember to rate useful posts

View solution in original post

3 Replies 3

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-04-2022 10:13 PM

Hi,

There is a config mistake. There is a nat inside,outside with Central_VPN.
This is at Central side. But your Central_VPN object has both inside and
dmz. So basically you are applying nat for dmz object on inside interface.

Remove this one.

nat (inside,outside) source static Central_VPN Central_VPN destination
static Remote_VPN Remote_VPN no-proxy-arp route-lookup

Use these two.

nat (inside,outside) source static Central_Inside Central_Inside destination
static Remote_VPN Remote_VPN no-proxy-arp route-lookup
nat (dmz,outside) source Central_DMZ Central_DMZ static destination static
Remote_VPN Remote_VPN no-proxy-arp route-lookup

**** please remember to rate useful posts

Go to solution
only.cisco
Level 1
Level 1
In response to Mohammed al Baqari

‎01-05-2022 09:37 AM - edited ‎01-05-2022 10:52 AM

I had a little trouble getting the dmz line to work (I had forgotten that interface's correct name).  The first thing I tried was changing

source Central_DMZ Central_DMZ static

to

source static Central_DMZ Central DMZ

Not sure if that was necessary but it worked after I corrected the interface name.

 

And since we replaced the source group object with the individual network objects, I did the same for the destinations (in case I ever add more interfaces):

destination static Remote_VPN

to

destination static Remote_Inside

 

Here's what I ended up with:

nat (inside,outside) source static Central_Inside Central_Inside destination static Remote_Inside Remote_Inside no-proxy-arp route-lookup

nat (dmz_web,outside) source static Central_DMZ Central_DMZ destination static Remote_Inside Remote_Inside no-proxy-arp route-lookup

 

For anyone else whose problem is solved by Mr. al Baqari's gratifyingly-complete solution, a couple of notes:

If you're testing with a (failing) continuous ping, Windows might refuse to acknowledge success until you stop and restart the ping.

Also, I'm not sure the VPN setup in ASDM version 7.13(1) can handle this compound NATting.  If not, you can make these corrections after setup - in ASDM's NAT setup, or via the CLI - and it won't disturb your VPN configuration.

 

My sincere thanks for your help,  Mr. al Bagari.  Even the Cisco tech I hired didn't spot this.

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to only.cisco

‎01-05-2022 09:50 AM

Great that I was able to help. You are welcome
0 Helpful
Customers Also Viewed These Support Documents