11-10-2006 10:19 AM - edited 02-21-2020 02:43 PM
I have a spoke and hub topology with an ASA5520 at the hub. A port for the Internet Feed, a port for the inside, and another port for the dmz.
outside=71.X.X.X
inside=10.180.0.0
dmz=192.168.250.0
The spoke has an inside of 10.160.0.0.
I setup a vlan between the hub and spoke and the connection from inside to inside is working fine. However, the spoke site cannot access the DMZ on 192.168.250.0.
Looking at the crypto on the ASA5520 I see:
Crypto map tag: intranet, seq num: 11, local addr: 71.X.X.X
access-list XXX permit ip 192.168.250.0 255.255.255.0 10.160.0.0 255.255.0.0
local ident (addr/mask/prot/port): (192.168.250.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.160.0.0/255.255.0.0/0/0)
current_peer: 204.X.X.X
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
Looking the pix on the spoke I see:
local ident (addr/mask/prot/port): (10.160.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.250.0/255.255.255.0/0/0)
current_peer: 71.X.X.X
PERMIT, flags={origin_is_acl,}
#pkts encaps: 271, #pkts encrypt: 271, #pkts digest 271
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 191, #recv errors 0
As I mentioned, I can ping from 10.180.0.0 to 10.160.0.0 fine. The encaps and decaps are zero and I know they should have some values. What do these entries mean? What else can I do to figure out what is wrong?
11-16-2006 11:51 AM
11-29-2006 07:46 PM
Thanks for the note. I was missing some access-list and nonat stuff. This got me going.
access-list nonat_dmz extended permit ip 192.168.250.0 255.255.255.0 10.190.0.0 255.255.0.0
access-list nonat_dmz extended permit ip 192.168.250.0 255.255.255.0 10.190.0.0 255.255.0.0
nat (dmz) 0 access-list nonat_dmz
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: