×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA5520 - Hub and spoke VPN - No access to DMZ

Unanswered Question
Nov 10th, 2006
User Badges:

I have a spoke and hub topology with an ASA5520 at the hub. A port for the Internet Feed, a port for the inside, and another port for the dmz.


outside=71.X.X.X

inside=10.180.0.0

dmz=192.168.250.0


The spoke has an inside of 10.160.0.0.


I setup a vlan between the hub and spoke and the connection from inside to inside is working fine. However, the spoke site cannot access the DMZ on 192.168.250.0.


Looking at the crypto on the ASA5520 I see:


Crypto map tag: intranet, seq num: 11, local addr: 71.X.X.X


access-list XXX permit ip 192.168.250.0 255.255.255.0 10.160.0.0 255.255.0.0

local ident (addr/mask/prot/port): (192.168.250.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.160.0.0/255.255.0.0/0/0)

current_peer: 204.X.X.X


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#send errors: 0, #recv errors: 0


Looking the pix on the spoke I see:


local ident (addr/mask/prot/port): (10.160.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.250.0/255.255.255.0/0/0)

current_peer: 71.X.X.X

PERMIT, flags={origin_is_acl,}

#pkts encaps: 271, #pkts encrypt: 271, #pkts digest 271

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 191, #recv errors 0


As I mentioned, I can ping from 10.180.0.0 to 10.160.0.0 fine. The encaps and decaps are zero and I know they should have some values. What do these entries mean? What else can I do to figure out what is wrong?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tiz_a_tron Wed, 11/29/2006 - 19:46
User Badges:

Thanks for the note. I was missing some access-list and nonat stuff. This got me going.


access-list nonat_dmz extended permit ip 192.168.250.0 255.255.255.0 10.190.0.0 255.255.0.0


access-list nonat_dmz extended permit ip 192.168.250.0 255.255.255.0 10.190.0.0 255.255.0.0

nat (dmz) 0 access-list nonat_dmz

Actions

This Discussion