11-01-2012 12:47 PM
I have several VPN sites terminating on a 5510 firewall. all work fine but i cant get the traffic from the VPN sites to communicate with a server on a dmz on the same firewall.
a packet trace from the outside to the dmz shows this:
Type: VPN
Subtype: encrypt
Result: DROP
ive configured access to the dmz the same as to the servers on the inside. I can get to the inside servers ok.
any ideas?
Solved! Go to Solution.
11-01-2012 02:01 PM
Have you clear the VPN tunnel down after you added the new subnet DMZ to the crypto ACL? and I also assume that the remote end has added the same mirror image ACL for their crypto ACL?
Lastly, I also assume that you have configured the NAT exemption on DMZ interface, and perform "clear xlate" after the config?
11-01-2012 02:01 PM
Have you clear the VPN tunnel down after you added the new subnet DMZ to the crypto ACL? and I also assume that the remote end has added the same mirror image ACL for their crypto ACL?
Lastly, I also assume that you have configured the NAT exemption on DMZ interface, and perform "clear xlate" after the config?
11-01-2012 04:28 PM
thanks for the reply Jennifer
I have not cleared the tunnel down. how is this done?
I have configured mirrored acls
I have configured a nat exeption but i have not cleared the xlate table.
11-01-2012 04:38 PM
To clear the tunnel:
clear cry isa sa
clear cry ipsec sa
To clear the xlate:
clear xlate
Let us know how it goes after clearing it.
11-02-2012 12:34 PM
Hi Jennifer
when i checked this morning it was working so im assuming the xlate timed out over night so you were probably correct when you said i should clear the xlate.
thanks for the help.
11-02-2012 12:50 PM
Excellent. Thanks for the update.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide