Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allow access to DMZ through VPN Tunnel

I have two datacenters that have a VPN Site-To-Site Tunnel

DC1 is ASA Version 8.2
DC2 is ASA Version 9.1

I want to allow our backup device that is on the inside interface of DC2 to be able to backup devices in our DMZ at DC1

Lets say for example that the backup device is

At DC1 I have tried

access-list dmz_out extended permit tcp object-group dmz_hosts host eq 2006
access-list dmz_out extended permit tcp host object-group dmz_hosts eq 2006

Currently at DC1 there is

access-list no_nat extended permit ip object-group local_hosts object-group to_dc2

But I don't see a no_nat for the DMZ such as

access_list no_nat extended permit ip object-groups dmz_hosts object-group to_dc2

Could that be the issue?

At DC2 I see

access-list inside_out extended permit ip object-group local_hosts_dc2 object-group to_dc1

to_dc1 does include the subnet for the dmz and local_hosts_dc2 does include the subnet that contains the backup device

nat (inside,outside) source static lan_local lan_local destination static no_nat no_nat no-proxy-arp route-lookup
Again no_nat in this case does include the dmz at dc1 and lan_local includes the subnet of the backup device


When I show the access-lists there is no hit counter increment for it so I know neither of my rules are being hit.
dmz_out is tied to the dmz with access-group dmz_out in interface dmz



Cisco Employee

Hi,Thanks for contacting us!


Thanks for contacting us! My name is Osvaldo García, from what I understood you need that a device located in the INSIDE network of the ASA at DC2 back up devices located in the DMZ network of the ASA at DC1, is that correct?

Please make sure that these 2 requirenments are configured:

[1] Review the access-list used in the crypto map, the command should be like:

crypto map <NAME> x match address <ACL>

This access-list should contain a statement with the DMZ network address as the source and the as the destination the LOCAL LAN of the DC2, i.e:

access-list <NAME> permit ip object-group dmz_hosts object-group to_dc2

NOTE: Please make sure to use IP as the permitted protocol. Also make sure to add this statement in the ACL used in the cyrpto map at DC2 in the opposite way, i.e:

access-list <NAME> permit ip object-group lan_local object-group dmz_hosts_at_DC1


[2] Please add the statement in NO_NAT access-list for the same traffic, i.e

access-list NO_NAT pemit ip object-group dmz_hosts object-group to_dc2


I think this only needs to be added in the DC1 ASA since you found that is already configured in the DC2 ASA.


As a comment, if you have access-list assigned to the ASA's interfaces, just make sure the traffic is allowed, start by permitting IP traffic between hosts and then you can narrow down to only permit the actual hosts and ports.


I hope this information helps you, 

Have a great day!

Best regards,


Osvaldo Garcia