ASA Site-to-Site, Remote Sites cannot access DMZ at Hub site

Answered Question
Oct 9th, 2009

So I've been scratching my head and I just can't visualize what I what and how I want to do this.

Here is the overview of my network:

Headquarters: ASA 5505

Site1 : ASA 5505

Site2 : ASA 5505

Site3 : ASA 5505

All Sites are connected L2L to the Headquarters location with Site-to-Site VPN.

From the HQ site I can ping each satellite location, and from each satellite location I can ping the HQ site. I will also mention that all other traffic also flows correctly.

Here is my issue: At the HQ site I have a DMZ configured with a mail/web server. This mail/web server is accessible from my HQ LAN but not from the satellite locations. I need to enable that.

What do I do?

My second issue is that I would like for the satellite sites to see eachother's networks. Would I have to create a VPN mesh between the sites, or can this be solved the same way as the DMZ issue?

I'm attaching the show run from my HQ ASA

Show run of HQ ASA

Attachment: 
I have this problem too.
0 votes
Correct Answer by auraza about 7 years 2 months ago

For the mail/web server that needs access over the VPN tunnels from the remote site, you need to add the servers to the crypto acl, similar to how you have it for the inside network. Make sure both sides have the mirrored acl's. If you are natting from the DMZ to the outside, make sure you create a nat exemption from the dmz to the outside for the VPN traffic.

For the second issue, because you just have three sites, I would recommend creating a site-to-site tunnel between the two satellite sites.

HTH

PS. if you found this post helpful, please rate it.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
auraza Fri, 10/09/2009 - 13:42

For the mail/web server that needs access over the VPN tunnels from the remote site, you need to add the servers to the crypto acl, similar to how you have it for the inside network. Make sure both sides have the mirrored acl's. If you are natting from the DMZ to the outside, make sure you create a nat exemption from the dmz to the outside for the VPN traffic.

For the second issue, because you just have three sites, I would recommend creating a site-to-site tunnel between the two satellite sites.

HTH

PS. if you found this post helpful, please rate it.

eric-karas Mon, 10/12/2009 - 06:26

That's my problem. I just can't picture that and the "mirroring" of settings at the remote site.

I'll be honest with you, I'm doing all of this through ASDM. The only time I use CLI is for minor things.

For testing and lab purposes I have an additional T1 at our HQ office. To it I hooked up our old PIX 515 (upgraded to ASDM). I VPN-ed it into our HQ site ASA 5505, so it looks like another remote site. I'm using that connection to mess around with things during business hours.

I'm going to include "sh run"'s from both the HQ and my remote test site. If you could just point to me where i need to add these lines and in which order and what interface, I would most likely be able to figure it out then.

I really appreciate your help.

Thank you!

Attachment: 
eric-karas Mon, 10/12/2009 - 12:35

Thanks man. I should have read your message more carefully... I kept forgeting to exempt nattting back in from the DMZ...

It works now and I finally understand how this works.

Actions

This Discussion