Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 Site-to-Site VPN to remote dmz access

I don't have a ton of experience with ASA firewalls, but I've searched everywhere and I can't seem to find a solution to this.

I have 2 sites connected by a Site-to-Site VPN with ASAs (5540 on Site 1, 5505 on Site 2). I'm using ASDM.

Lets call:

Site 1 LAN:

Site 2 LAN:

Site 2 DMZ:

Traffic from Site 1 to Site 2 is perfect moving across the LANs. My workstation ( can ping anything in site 2s LAN (

Recently, I added a UniFi WAP device to Site 2 DMZ. Since I want to be able to manage this DMZ WAP from the LAN with a management server, I created a network object in Site 2s ASA. I called this object DMZ_WAP. IP address I checked the box for "Add Automatic Address Translation Rules" and configured Type to "Static" and Translated Addr to "" Source interface DMZ to Any destination interface. This of course created 2 "Network Object" NAT rules.

I then created a DMZ incoming rule that says Source: DMZ_WAP, Destination: net_site1_lan (this object was of course created for the site to site vpn), allow all IP traffic. I created an Outside incoming rule that says net_site1_lan can access DMZ_WAP.

Awesome, I can now ping from anywhere within Site 2. The problem is... I can't ping from my workstation in site 1 ( If I run Packet Tracer (interface dmz, packet type TCP, source port "echo", destination port "echo") everything turns up green checkmark, the packet is allowed. So why do I have no contact?

I apologize, as I realize ASDM isnt what most of you probably use. But anyone have any ideas? Been researching this for about 4 hours now, perhaps I'm barking up the wrong tree.



Super Bronze

ASA 5505 Site-to-Site VPN to remote dmz access


I personally dont use ASDM for that many configurations. Mainly to monitor things. So I cant help much with that. To be honest its much more time consuming to try guide doing the changes through ASDM rather than seing the CLI format configurations and suggesting the changes.

I would personally just add the DMZ network with its original IP address on the existing L2L VPN between the sites instead of doing a NAT. From there on in it would be pretty straight forward

  • Add the DMZ network to the L2L VPN connections ACL on both sites configurations
  • Add NAT0 configurations on both sites for the DMZ traffic

If you have 8.3 or newer software level on the Site 2 then the NAT0 / NAT Exempt configuration would be (presuming interface names)

object network DMZ


object network SITE1-LAN


nat (dmz,outside) source static DMZ DMZ destination static SITE1-LAN SITE1-LAN

And naturally the ACL addition to the L2L VPN connection would be

access-list L2LVPN permit ip

And also the corresponding configurations on the Site 1

- Jouni

New Member

ASA 5505 Site-to-Site VPN to remote dmz access


I can't add the entire network, as the unrestricted traffic on the Site2 DMZ (users smartphones, personal laptops, clients) is not allowed to enter the LAN at Site 2, and especially not at site 1. I should have mentioned that. The thing we want to be able to pass through is the specific IP of the WAP. Once I figure out how to make it work at all, I'll be restricting down the allowed protocols to provide bare minimum monitoring. That's why I decided to NAT the WAPs IP to a LAN ip. I figure that way, the ASA 5540 at Site 1 will be perfectly okay with that ip address coming in. Any idea why packet tracer doesn't give me any feedback as to why this is failing?

Super Bronze

ASA 5505 Site-to-Site VPN to remote dmz access


I would have to see the "packet-tracer" command used and the full output.

I imagine if you need to restrict traffic going from the DMZ to the same sites LAN and the remote sites LAN, you should really use the interface ACL and keep the NAT simple.

- Jouni

New Member

ASA 5505 Site-to-Site VPN to remote dmz access

The traffic is already restricted from the DMZ to the LAN, which is why I NATd to allow Site 2 LAN to hit the WAP IP. Again, I'm sorry if the way I'm asking things is off skew. I'm normally just a virtual infrastructure / windows server guy. New employer needs SOMEONE to clean this stuff up. I just putty'd in and got the config. Currently sanitizing it to post. From what everyone says, I guess it would be best for me to drop ASDM and just learn the CLI. Really appreciate the help JouniForss.

New Member

ASA 5505 Site-to-Site VPN to remote dmz access

Here's my sanitized config. Any help would be greatly appreciated. Again, the point is simply to make the object SITE2_DMZ_WAP that is off of the "dmz" interface talk with SITE1 over the site to site VPN. I can't let any other traffic through except this one IP. I currently have it NATd.

ASA Version 8.4(1)

no names
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address -OMITTED-
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address

interface Ethernet0/0
description Outside WAN1 port
switchport access vlan 2
interface Ethernet0/1
description Inside LAN port
interface Ethernet0/2
description Inside LAN port
interface Ethernet0/3
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/4
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/5
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/6

description Outside DMZ port
switchport access vlan 3
interface Ethernet0/7
description Outside DMZ port
switchport access vlan 3
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name -OMITTED-
object network obj_any
object network net_SITE1_lan
object network net_SITE2_lan
object network net_SITE1_dmz
object network net_SITE2_dmz
object network SITE2_DMZ_WAP
object network
description FOR SITE2 WAP
access-list inside_access_in extended permit ip object net_SITE2_lan any
access-list inside_access_in extended deny tcp any any eq smtp
access-list outside_cryptomap extended permit ip object net_SITE2_lan object net_SITE1_lan
pager lines 24
logging enable
logging buffer-size 16384
logging buffered notifications
logging asdm notifications
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021

no logging message 302020
flow-export destination inside 2055
flow-export template timeout-rate 1
flow-export delay flow-create 15
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-643.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static net_SITE2_lan net_SITE2_lan destination static net_SITE1_lan net_SITE1_lan
object network obj_any
nat (inside,outside) dynamic interface
object network SITE2_DMZ_WAP
nat (dmz,any) static
nat (inside,outside) after-auto source dynamic any interface
nat (dmz,outside) after-auto source dynamic any interface

access-group inside_access_in in interface inside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authorization exec LOCAL
http server enable
http server idle-timeout 60
http inside
http outside
snmp-server host inside community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map CMAP_OUTSIDE 1 match address outside_cryptomap
crypto map CMAP_OUTSIDE 1 set peer -PEER OMITTED-
crypto map CMAP_OUTSIDE 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map CMAP_OUTSIDE 1 set reverse-route
crypto map CMAP_OUTSIDE interface outside
crypto ikev1 enable outside
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh inside
ssh outside

ssh timeout 60
ssh version 2
console timeout 60
management-access inside

dhcpd dns
dhcpd dns interface inside
dhcpd lease 34000 interface inside
dhcpd domain -DOMAIN OMITTED- interface inside
dhcpd update dns both interface inside
dhcpd address dmz
dhcpd dns interface dmz
dhcpd lease 34000 interface dmz
dhcpd enable dmz
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username -OMITTED- password -OMITTED- encrypted privilege 15
tunnel-group -IP OMITTED- type ipsec-l2l
tunnel-group -IP OMITTED- general-attributes
default-group-policy GroupPolicy1
tunnel-group -IP OMITTED- ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 5
class-map netflow-export-class
match any
class-map inspection_default
match default-inspection-traffic
class-map QoS_RDP
match access-list QoS_RDP_Server_Branch
class-map QoS_EA
match port tcp eq 2000
policy-map type inspect dns preset_dns_map
  message-length maximum 512

  policy-map global_policy
class inspection_default
  inspect dns
  inspect ftp
  inspect http
  inspect icmp
  inspect icmp error
  inspect ils
  inspect ip-options
  inspect ipsec-pass-thru
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect sip 
  inspect snmp
  inspect xdmcp
class netflow-export-class
  flow-export event-type all destination
class QoS_RDP
class QoS_EA
service-policy global_policy global

prompt hostname context
profile CiscoTAC-1
  no active
  destination address http
  destination address email
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily


Super Bronze

ASA 5505 Site-to-Site VPN to remote dmz access


Can you use the "packet-tracer" command on the CLI of the ASA and share that output with us. You could actually check both directions (to and from the L2L VPN) and see what kind of output it produceses

Command format would be

packet-tracer input dmz icmp 8 0

packet-tracer input outside icmp 8 0

The above would both simulate an ICMP Echo heading to either direction. The "8" and "0" in the command refer to the Type and Code of the ICMP message and they are for ICMP Echo.

In the case of the "dmz" related command, if the L2L VPN connection isnt up when you first attempt it then the first "packet-tracer" command will always fail. The second time you enter the command the L2L VPN should be up (if it already wasnt) and the output should then be accurate.

So if you can first take those outputs and share them with us we could confirm that correct rules/configurations are matched on the ASA.

- Jouni

Super Bronze

ASA 5505 Site-to-Site VPN to remote dmz access


There is actually a default setting on the ASA that makes it so that ALL traffic coming through a VPN connection bypass your "outside" interface ACL. So currently the ACL rule permitting Site 1 and Site 2 traffic doesnt have any effect as its bypassed.

The command you currently have enabled (the ASA default) is

sysopt connection permit-vpn

If you were to change this global configuration to

no sysopt connection permit-vpn

It would mean that ALL connections iniatied to this site through VPN connections would also have to match the interface ACL rules on the interface where the VPN connection terminates (outside).

You might be wondering why the command above doesnt show in your configuration. With some commands the default setting is not shown in the configuration at all. When you change it however then this nondefault setting will be shown.

If you were to use the command

show run all

You would see ALL the default settings also. And thats a lot more output than a normal "show run"

You can also combine that with more specific command like

show run all sysopt

To list your system option settings.

- Jouni

CreatePlease login to create content