VPN to DMZ

Answered Question
Dec 11th, 2007

Hi,

I have a ASA5505 at the remote end (ip base) with a server in the DMZ. DMZ is 10.102.1.0/24 and LAN is 172.16.0.0/16.

I have created a site to site tunnel from our network and can connect to 172.16.0.0/16 fine. I have also added to the crypto map to pass 10.102.1.0/24 traffic down the tunnel. I have also permitted outside - inside traffic to the DMZ from my LAN subnet.

I still can't ping the DMZ from my LAN - is this possible or am I missing something?

Thanks

I have this problem too.
0 votes
Correct Answer by husycisco about 9 years 1 month ago

You should add conditional exempt nat rules

remote ASA

access-list dmz_nat0_outbound permit ip 10.102.1.0 255.255.255.0 yourlocallan netmask

nat (DMZ) 0 access-list dmz_nat0_outbound

your asa

access-list inside_nat0_outbound permit ip locallan netmask 172.16.0.0 255.255.0.0

access-list inside_nat0_outbound permit ip yourlocallan netmask 10.102.1.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

access-list outside_xxx_cryptomap permit ip locallan netmask 172.16.0.0 255.255.0.0

access-list outside_xxx_cryptomap permit ip locallan netmask 10.102.1.0 255.255.255.0

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
husycisco Tue, 12/11/2007 - 02:20

You should add conditional exempt nat rules

remote ASA

access-list dmz_nat0_outbound permit ip 10.102.1.0 255.255.255.0 yourlocallan netmask

nat (DMZ) 0 access-list dmz_nat0_outbound

your asa

access-list inside_nat0_outbound permit ip locallan netmask 172.16.0.0 255.255.0.0

access-list inside_nat0_outbound permit ip yourlocallan netmask 10.102.1.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

access-list outside_xxx_cryptomap permit ip locallan netmask 172.16.0.0 255.255.0.0

access-list outside_xxx_cryptomap permit ip locallan netmask 10.102.1.0 255.255.255.0

Regards

Jon Marshall Tue, 12/11/2007 - 02:22

Hi

Could you just elaborate on the topology. When you say you can't ping the DMZ from your LAN is this the same LAN as 172.16.0.0/16 or is this the remote network.

Jon

Actions

This Discussion