Site-to-Site VPN to DMZ

Unanswered Question
Oct 21st, 2008

I have two sites UK/France that terminate on my ASA5510. They need access to our webservers in the DMZ. My configuration for the sites on my ASA are as follows:

access-list No-NAT-DMZ extended permit ip object-group UK-Networks (

access-list No-NAT-DMZ extended permit ip object-group France-Networks (

access-list DMZ extended permit ip host iis-public-in01 object-group UK-Networks

access-list DMZ_access_out extended permit ip object-group UK-Networks host iis-public-in01

I'm not sure if my European counterparts have changed their settings as this has worked before. Now, they cannot see our webservers.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
acomiskey Tue, 10/21/2008 - 10:36

A few questions.

1. What are the access-group commands associated with your dmz acl's?

access-group DMZ in interface DMZ?

access-group DMZ_access_out out interface DMZ?

2. Is iis-public-in-01 a 172.16.110.x address? If not, it should be.

jgorman1977 Wed, 10/22/2008 - 05:37

The UK firewall was not passing that subnet over to us. They recently upgraded and missed that statement.

Thanks for the assistance.


This Discussion