cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
312
Views
0
Helpful
2
Replies

ASA5520 - Hub and spoke VPN - No access to DMZ

tiz_a_tron
Level 1
Level 1

I have a spoke and hub topology with an ASA5520 at the hub. A port for the Internet Feed, a port for the inside, and another port for the dmz.

outside=71.X.X.X

inside=10.180.0.0

dmz=192.168.250.0

The spoke has an inside of 10.160.0.0.

I setup a vlan between the hub and spoke and the connection from inside to inside is working fine. However, the spoke site cannot access the DMZ on 192.168.250.0.

Looking at the crypto on the ASA5520 I see:

Crypto map tag: intranet, seq num: 11, local addr: 71.X.X.X

access-list XXX permit ip 192.168.250.0 255.255.255.0 10.160.0.0 255.255.0.0

local ident (addr/mask/prot/port): (192.168.250.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.160.0.0/255.255.0.0/0/0)

current_peer: 204.X.X.X

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#send errors: 0, #recv errors: 0

Looking the pix on the spoke I see:

local ident (addr/mask/prot/port): (10.160.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.250.0/255.255.255.0/0/0)

current_peer: 71.X.X.X

PERMIT, flags={origin_is_acl,}

#pkts encaps: 271, #pkts encrypt: 271, #pkts digest 271

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 191, #recv errors 0

As I mentioned, I can ping from 10.180.0.0 to 10.160.0.0 fine. The encaps and decaps are zero and I know they should have some values. What do these entries mean? What else can I do to figure out what is wrong?

2 Replies 2

Thanks for the note. I was missing some access-list and nonat stuff. This got me going.

access-list nonat_dmz extended permit ip 192.168.250.0 255.255.255.0 10.190.0.0 255.255.0.0

access-list nonat_dmz extended permit ip 192.168.250.0 255.255.255.0 10.190.0.0 255.255.0.0

nat (dmz) 0 access-list nonat_dmz

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: