10-21-2008 10:30 AM
I have two sites UK/France that terminate on my ASA5510. They need access to our webservers in the DMZ. My configuration for the sites on my ASA are as follows:
access-list No-NAT-DMZ extended permit ip 172.16.110.0 255.255.255.0 object-group UK-Networks (192.168.0.0/24)
access-list No-NAT-DMZ extended permit ip 172.16.110.0 255.255.255.0 object-group France-Networks (192.168.10.0/24)
access-list DMZ extended permit ip host iis-public-in01 object-group UK-Networks
access-list DMZ_access_out extended permit ip object-group UK-Networks host iis-public-in01
I'm not sure if my European counterparts have changed their settings as this has worked before. Now, they cannot see our webservers.
10-21-2008 10:36 AM
A few questions.
1. What are the access-group commands associated with your dmz acl's?
access-group DMZ in interface DMZ?
access-group DMZ_access_out out interface DMZ?
2. Is iis-public-in-01 a 172.16.110.x address? If not, it should be.
10-21-2008 10:50 AM
1. You are correct
2. IIS-public-in01 is a 172.16.110.x/24 address
10-21-2008 06:39 PM
Hello Jason,
Do you see the IPSEC SA Built for the two location mentioned above. Also, what do you see under encrypts and decrypts.
Below is an URL that has information on some of the most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Regards,
Arul
** Please rate if it helps **
10-22-2008 05:37 AM
The UK firewall was not passing that subnet over to us. They recently upgraded and missed that statement.
Thanks for the assistance.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: