11-11-2011 07:38 AM
We have a Main ASA 5520 and two remote site ASA 5505's that connect to each other via S2S VPN tunnels. Currently they are doing split tunneling, so only local traffic goes over the tunnel. We have are local LAN (10.0.0.0/16) and our DMZ (10.3.0.0/24) network at the main site. The DMZ hosts our external sharepoint, but we have access to it internally
The problem is site A (10.1.0.0/24) and site B (10.2.0.0/24) have no idea of it, and when attempting to go to the site, it fails. You can access it via the external site address, but that's the only way. Normally the external address is blocked when you are internal.
What i'm stuck at is even when we had all traffic sent from Site A to our main hub, it still wouldn't find it. Would i have to make a separate vpn tunnel purely for that DMZ traffic?
Solved! Go to Solution.
11-11-2011 08:18 AM
Yes. So if you're doing this in ASDM under Edit Site to Site connection Profile, it will look like that.
Local Network: 10.0.0/16, 10.3.0.0/24
Remote : 10.1.0.0/24
11-11-2011 07:42 AM
As long as the traffic is specified in your crypto acls
access-list xxx extended permit ip 10.1.0.0 255.255.255.0 10.3.0.0 255.255.255.0
and
access-list xxx extended permit ip 10.2.0.0 255.255.255.0 10.3.0.0 255.255.255.0
the only other thing you may be missing is nat exemption on the dmz interface.
access-list nonatdmz extended permit ip 10.3.0.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list nonatdmz extended permit ip 10.3.0.0 255.255.255.0 10.2.0.0 255.255.255.0
nat (DMZ) 0 access-list nonatdmz
Also make sure the dmz network is added to the nat 0 at the remote sites as well.
access-list nonat extended permit ip 10.1.0.0 255.255.255.0 10.3.0.0 255.255.255.0
and
access-list nonat extended permit ip 10.2.0.0 255.255.255.0 10.3.0.0 255.255.255.0
11-11-2011 07:59 AM
Right now those are in there in the DMZ section on our main ASA
access-list nonat extended permit ip 10.3.0.0 255.255.255.0 10.2.0.0 255.255.255.0
access-list nonat extended permit ip 10.3.0.0 255.255.255.0 10.1.0.0 255.255.255.0
Here's how the VPN is setup, but i think I may know why its failing
Main ASA
Site A Tunnel
Local: 10.0.0.0/16
Remote: 10.1.0.0/24
Site B Tunnel
Local: 10.0.0.0/16
Remote: 10.2.0.0/24
Site A
Main Tunnel
Local: 10.1.0.0/24
Remote: 10.0.0.0/16
Site B
Main Tunnel
Local: 10.2.0.0/24
Remote: 10.0.0.0/16
If I were to either the DMZ (10.3.0.0/24) to the end of the Remote sides for the two sides and the local side on the main, would that accomplish what i'm trying to do? Or can I just build a tunnel straight from DMZ to these locations and do it that way?
EDIT
Checked both ends, both have the nonat rule for the DMZ traffic
11-11-2011 08:08 AM
Add the following traffic to your existing vpn's. You have to tell the ASA's to encrypt this traffic. Post your configuration if possible, clean out any public ip's/passwords etc. It will be much easier to get you going.
Main ASA
Site A Tunnel
Local: 10.3.0.0/24
Remote: 10.1.0.0/24
Site B Tunnel
Local: 10.3.0.0/24
Remote: 10.2.0.0/24
Site A
Main Tunnel
Local: 10.1.0.0/24
Remote: 10.3.0.0/24
Site B
Main Tunnel
Local: 10.2.0.0/24
Remote: 10.3.0.0/24
11-11-2011 08:12 AM
We did this before and the sharepoint site did work, but nothing external (webpages, anything on the net). Can i add that rule to an existing one, such as:
Main ASA
Site A Tunnel
Local: 10.0.0.0/16, 10.3.0.0/24
Remote: 10.1.0.0/24
11-11-2011 08:18 AM
Yes. So if you're doing this in ASDM under Edit Site to Site connection Profile, it will look like that.
Local Network: 10.0.0/16, 10.3.0.0/24
Remote : 10.1.0.0/24
11-11-2011 08:33 AM
Definitely a facepalm, moment, but seems to work great, thank you!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: