Solved: vpn traffic to dmz

mickyq · ‎11-01-2012

I have several VPN sites terminating on a 5510 firewall. all work fine but i cant get the traffic from the VPN sites to communicate with a server on a dmz on the same firewall.

a packet trace from the outside to the dmz shows this:

Type: VPN
Subtype: encrypt
Result: DROP

ive configured access to the dmz the same as to the servers on the inside. I can get to the inside servers ok.

any ideas?

Jennifer Halim · ‎11-01-2012

Have you clear the VPN tunnel down after you added the new subnet DMZ to the crypto ACL? and I also assume that the remote end has added the same mirror image ACL for their crypto ACL?

Lastly, I also assume that you have configured the NAT exemption on DMZ interface, and perform "clear xlate" after the config?

View solution in original post

Jennifer Halim · ‎11-01-2012

Have you clear the VPN tunnel down after you added the new subnet DMZ to the crypto ACL? and I also assume that the remote end has added the same mirror image ACL for their crypto ACL?

Lastly, I also assume that you have configured the NAT exemption on DMZ interface, and perform "clear xlate" after the config?

mickyq · ‎11-01-2012

thanks for the reply Jennifer

I have not cleared the tunnel down. how is this done?

I have configured mirrored acls

I have configured a nat exeption but i have not cleared the xlate table.

Jennifer Halim · ‎11-01-2012

To clear the tunnel:

clear cry isa sa

clear cry ipsec sa

To clear the xlate:

clear xlate

Let us know how it goes after clearing it.

mickyq · ‎11-02-2012

Hi Jennifer

when i checked this morning it was working so im assuming the xlate timed out over night so you were probably correct when you said i should clear the xlate.

thanks for the help.

Jennifer Halim · ‎11-02-2012

Excellent. Thanks for the update.