We have a Main ASA 5520 and two remote site ASA 5505's that connect to each other via S2S VPN tunnels. Currently they are doing split tunneling, so only local traffic goes over the tunnel. We have are local LAN (10.0.0.0/16) and our DMZ (10.3.0.0/24) network at the main site. The DMZ hosts our external sharepoint, but we have access to it internally
The problem is site A (10.1.0.0/24) and site B (10.2.0.0/24) have no idea of it, and when attempting to go to the site, it fails. You can access it via the external site address, but that's the only way. Normally the external address is blocked when you are internal.
What i'm stuck at is even when we had all traffic sent from Site A to our main hub, it still wouldn't find it. Would i have to make a separate vpn tunnel purely for that DMZ traffic?
Right now those are in there in the DMZ section on our main ASA
access-list nonat extended permit ip 10.3.0.0 255.255.255.0 10.2.0.0 255.255.255.0
access-list nonat extended permit ip 10.3.0.0 255.255.255.0 10.1.0.0 255.255.255.0
Here's how the VPN is setup, but i think I may know why its failing
Site A Tunnel
Site B Tunnel
If I were to either the DMZ (10.3.0.0/24) to the end of the Remote sides for the two sides and the local side on the main, would that accomplish what i'm trying to do? Or can I just build a tunnel straight from DMZ to these locations and do it that way?
Checked both ends, both have the nonat rule for the DMZ traffic
Add the following traffic to your existing vpn's. You have to tell the ASA's to encrypt this traffic. Post your configuration if possible, clean out any public ip's/passwords etc. It will be much easier to get you going.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :