access-list no_nat extended permit ip object-group local_hosts object-group to_dc2
But I don't see a no_nat for the DMZ such as
access_list no_nat extended permit ip object-groups dmz_hosts object-group to_dc2 Could that be the issue?
At DC2 I see
access-list inside_out extended permit ip object-group local_hosts_dc2 object-group to_dc1
to_dc1 does include the subnet for the dmz and local_hosts_dc2 does include the subnet that contains the backup device
nat (inside,outside) source static lan_local lan_local destination static no_nat no_nat no-proxy-arp route-lookup Again no_nat in this case does include the dmz at dc1 and lan_local includes the subnet of the backup device
When I show the access-lists there is no hit counter increment for it so I know neither of my rules are being hit. dmz_out is tied to the dmz with access-group dmz_out in interface dmz
Thanks for contacting us! My name is Osvaldo García, from what I understood you need that a device located in the INSIDE network of the ASA at DC2 back up devices located in the DMZ network of the ASA at DC1, is that correct?
Please make sure that these 2 requirenments are configured:
 Review the access-list used in the crypto map, the command should be like:
crypto map <NAME> x match address <ACL>
This access-list should contain a statement with the DMZ network address as the source and the as the destination the LOCAL LAN of the DC2, i.e:
access-list <NAME> permit ip object-group dmz_hosts object-group to_dc2
NOTE: Please make sure to use IP as the permitted protocol. Also make sure to add this statement in the ACL used in the cyrpto map at DC2 in the opposite way, i.e:
access-list <NAME> permit ip object-group lan_local object-group dmz_hosts_at_DC1
 Please add the statement in NO_NAT access-list for the same traffic, i.e
access-list NO_NAT pemit ip object-group dmz_hosts object-group to_dc2
I think this only needs to be added in the DC1 ASA since you found that is already configured in the DC2 ASA.
As a comment, if you have access-list assigned to the ASA's interfaces, just make sure the traffic is allowed, start by permitting IP traffic between hosts and then you can narrow down to only permit the actual hosts and ports.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...