Site-to-Site VPN to DMZ

jgorman1977 · ‎10-21-2008

I have two sites UK/France that terminate on my ASA5510. They need access to our webservers in the DMZ. My configuration for the sites on my ASA are as follows:

access-list No-NAT-DMZ extended permit ip 172.16.110.0 255.255.255.0 object-group UK-Networks (192.168.0.0/24)

access-list No-NAT-DMZ extended permit ip 172.16.110.0 255.255.255.0 object-group France-Networks (192.168.10.0/24)

access-list DMZ extended permit ip host iis-public-in01 object-group UK-Networks

access-list DMZ_access_out extended permit ip object-group UK-Networks host iis-public-in01

I'm not sure if my European counterparts have changed their settings as this has worked before. Now, they cannot see our webservers.

acomiskey · ‎10-21-2008

A few questions.

1. What are the access-group commands associated with your dmz acl's?

access-group DMZ in interface DMZ?

access-group DMZ_access_out out interface DMZ?

2. Is iis-public-in-01 a 172.16.110.x address? If not, it should be.

jgorman1977 · ‎10-21-2008

1. You are correct

2. IIS-public-in01 is a 172.16.110.x/24 address

ajagadee · ‎10-21-2008

Hello Jason,

Do you see the IPSEC SA Built for the two location mentioned above. Also, what do you see under encrypts and decrypts.

Below is an URL that has information on some of the most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Regards,

Arul

** Please rate if it helps **

jgorman1977 · ‎10-22-2008

The UK firewall was not passing that subnet over to us. They recently upgraded and missed that statement.

Thanks for the assistance.