Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access to DMZ from remote sites over S2S VPN

We have a Main ASA 5520 and two remote site ASA 5505's that connect to each other via S2S VPN tunnels. Currently they are doing split tunneling, so only local traffic goes over the tunnel. We have are local LAN (10.0.0.0/16) and our DMZ (10.3.0.0/24) network at the main site. The DMZ hosts our external sharepoint, but we have access to it internally

The problem is site A (10.1.0.0/24) and site B (10.2.0.0/24) have no idea of it, and when attempting to go to the site, it fails. You can access it via the external site address, but that's the only way. Normally the external address is blocked when you are internal.

What i'm stuck at is even when we had all traffic sent from Site A to our main hub, it still wouldn't find it. Would i have to make a separate vpn tunnel purely for that DMZ traffic?

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Access to DMZ from remote sites over S2S VPN

Yes. So if you're doing this in ASDM under Edit Site to Site connection Profile, it will look like that.

Local Network: 10.0.0/16, 10.3.0.0/24

Remote : 10.1.0.0/24

6 REPLIES
Green

Re: Access to DMZ from remote sites over S2S VPN

As long as the traffic is specified in your crypto acls

access-list xxx extended permit ip 10.1.0.0 255.255.255.0 10.3.0.0 255.255.255.0

and

access-list xxx extended permit ip 10.2.0.0 255.255.255.0 10.3.0.0 255.255.255.0

the only other thing you may be missing is nat exemption on the dmz interface.

access-list nonatdmz extended permit ip 10.3.0.0 255.255.255.0 10.1.0.0 255.255.255.0

access-list nonatdmz extended permit ip 10.3.0.0 255.255.255.0 10.2.0.0 255.255.255.0

nat (DMZ) 0 access-list nonatdmz

Also make sure the dmz network is added to the nat 0 at the remote sites as well.

access-list nonat extended permit ip 10.1.0.0 255.255.255.0 10.3.0.0 255.255.255.0

and

access-list nonat extended permit ip 10.2.0.0 255.255.255.0 10.3.0.0 255.255.255.0

New Member

Re: Access to DMZ from remote sites over S2S VPN

Right now those are in there in the DMZ section on our main ASA

access-list nonat extended permit ip 10.3.0.0 255.255.255.0 10.2.0.0 255.255.255.0

access-list nonat extended permit ip 10.3.0.0 255.255.255.0 10.1.0.0 255.255.255.0

Here's how the VPN is setup, but i think I may know why its failing

Main ASA

Site A Tunnel

Local: 10.0.0.0/16

Remote: 10.1.0.0/24

Site B Tunnel

Local: 10.0.0.0/16

Remote: 10.2.0.0/24

Site A

Main Tunnel

Local: 10.1.0.0/24

Remote: 10.0.0.0/16

Site B

Main Tunnel

Local: 10.2.0.0/24

Remote: 10.0.0.0/16

If I were to either the DMZ (10.3.0.0/24) to the end of the Remote sides for the two sides and the local side on the main, would that accomplish what i'm trying to do? Or can I just build a tunnel straight from DMZ to these locations and do it that way?

EDIT

Checked both ends, both have the nonat rule for the DMZ traffic

Green

Access to DMZ from remote sites over S2S VPN

Add the following traffic to your existing vpn's. You have to tell the ASA's to encrypt this traffic. Post your configuration if possible, clean out any public ip's/passwords etc. It will be much easier to get you going.

Main ASA

Site A Tunnel

Local: 10.3.0.0/24

Remote: 10.1.0.0/24

Site B Tunnel

Local: 10.3.0.0/24

Remote: 10.2.0.0/24

Site A

Main Tunnel

Local: 10.1.0.0/24

Remote: 10.3.0.0/24

Site B

Main Tunnel

Local: 10.2.0.0/24

Remote: 10.3.0.0/24

New Member

Re: Access to DMZ from remote sites over S2S VPN

We did this before and the sharepoint site did work, but nothing external (webpages, anything on the net). Can i add that rule to an existing one, such as:

Main ASA

Site A Tunnel

Local: 10.0.0.0/16, 10.3.0.0/24

Remote: 10.1.0.0/24

Green

Re: Access to DMZ from remote sites over S2S VPN

Yes. So if you're doing this in ASDM under Edit Site to Site connection Profile, it will look like that.

Local Network: 10.0.0/16, 10.3.0.0/24

Remote : 10.1.0.0/24

New Member

Re: Access to DMZ from remote sites over S2S VPN

Definitely a facepalm, moment, but seems to work great, thank you!

1364
Views
0
Helpful
6
Replies
CreatePlease login to create content