So I've been scratching my head and I just can't visualize what I what and how I want to do this.
Here is the overview of my network:
Headquarters: ASA 5505
Site1 : ASA 5505
Site2 : ASA 5505
Site3 : ASA 5505
All Sites are connected L2L to the Headquarters location with Site-to-Site VPN.
From the HQ site I can ping each satellite location, and from each satellite location I can ping the HQ site. I will also mention that all other traffic also flows correctly.
Here is my issue: At the HQ site I have a DMZ configured with a mail/web server. This mail/web server is accessible from my HQ LAN but not from the satellite locations. I need to enable that.
What do I do?
My second issue is that I would like for the satellite sites to see eachother's networks. Would I have to create a VPN mesh between the sites, or can this be solved the same way as the DMZ issue?
I'm attaching the show run from my HQ ASA
Show run of HQ ASA
For the mail/web server that needs access over the VPN tunnels from the remote site, you need to add the servers to the crypto acl, similar to how you have it for the inside network. Make sure both sides have the mirrored acl's. If you are natting from the DMZ to the outside, make sure you create a nat exemption from the dmz to the outside for the VPN traffic.
For the second issue, because you just have three sites, I would recommend creating a site-to-site tunnel between the two satellite sites.
PS. if you found this post helpful, please rate it.