Site-to-Site VPN to DMZ

Unanswered Question
Oct 21st, 2008
User Badges:

I have two sites UK/France that terminate on my ASA5510. They need access to our webservers in the DMZ. My configuration for the sites on my ASA are as follows:

access-list No-NAT-DMZ extended permit ip object-group UK-Networks (

access-list No-NAT-DMZ extended permit ip object-group France-Networks (

access-list DMZ extended permit ip host iis-public-in01 object-group UK-Networks

access-list DMZ_access_out extended permit ip object-group UK-Networks host iis-public-in01

I'm not sure if my European counterparts have changed their settings as this has worked before. Now, they cannot see our webservers.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
acomiskey Tue, 10/21/2008 - 10:36
User Badges:
  • Green, 3000 points or more

A few questions.

1. What are the access-group commands associated with your dmz acl's?

access-group DMZ in interface DMZ?

access-group DMZ_access_out out interface DMZ?

2. Is iis-public-in-01 a 172.16.110.x address? If not, it should be.

jgorman1977 Tue, 10/21/2008 - 10:50
User Badges:

1. You are correct

2. IIS-public-in01 is a 172.16.110.x/24 address

ajagadee Tue, 10/21/2008 - 18:39
User Badges:
  • Cisco Employee,

Hello Jason,

Do you see the IPSEC SA Built for the two location mentioned above. Also, what do you see under encrypts and decrypts.

Below is an URL that has information on some of the most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions



** Please rate if it helps **

jgorman1977 Wed, 10/22/2008 - 05:37
User Badges:

The UK firewall was not passing that subnet over to us. They recently upgraded and missed that statement.

Thanks for the assistance.


This Discussion