Thomas Jacoberger
asked on
Access DMZ Vlan on Cisco ASA 5510 from seperate Cisco ASA 5505
Afternoon All,
I have two cisco ASA's, in seperate locations on different WANs. One is a 5510 and the other is a 5505. Both have security plus licenses. There is a vpn setup between the two devices so that I can access the inside networks from either location without issue. There is a DMZ setup on the 5510 which I can access from the inside network of the 5510. However, I am unable to access the DMZ interface from the 5505. I have a web server sitting on the 5510 DMZ interface and I need to be able to access it from the inside interface on the 5505.
What needs to be done to accomplish this?
I have two cisco ASA's, in seperate locations on different WANs. One is a 5510 and the other is a 5505. Both have security plus licenses. There is a vpn setup between the two devices so that I can access the inside networks from either location without issue. There is a DMZ setup on the 5510 which I can access from the inside network of the 5510. However, I am unable to access the DMZ interface from the 5505. I have a web server sitting on the 5510 DMZ interface and I need to be able to access it from the inside interface on the 5505.
What needs to be done to accomplish this?
Please post a sanitized config for both ASA's
ASKER
Here is the 5505, please ignore dmz1, its not the dmz in question. Its just being used for a seperate wireless network. The dmz I am trying to reach is on the 5510 config.
5510 coming.
5505.txt
5510 coming.
5505.txt
ASKER
5510
5510.txt
5510.txt
You need to specify the traffic in your crypto ACL's try adding the below;
On your ASA5510
access-list VPN extended permit ip 10.10.10.0 255.255.255.0 10.30.1.0 255.255.255.0
access-list vpn-nonat extended permit ip 10.10.10.0 255.255.255.0 10.30.1.0 255.255.255.0
access-list vpn-nonat extended permit ip 10.30.1.0 255.255.255.0 10.10.10.0 255.255.255.0
On your ASA5505
access-list outside_1_cryptomap extended permit ip 10.30.1.0 255.255.255.0 10.10.10.1 255.255.255.0
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.30.1.0 255.255.255.0
access-list nonat extended permit ip 10.30.1.0 255.255.255.0 10.10.10.0 255.255.255.0
Hope it helps.
On your ASA5510
access-list VPN extended permit ip 10.10.10.0 255.255.255.0 10.30.1.0 255.255.255.0
access-list vpn-nonat extended permit ip 10.10.10.0 255.255.255.0 10.30.1.0 255.255.255.0
access-list vpn-nonat extended permit ip 10.30.1.0 255.255.255.0 10.10.10.0 255.255.255.0
On your ASA5505
access-list outside_1_cryptomap extended permit ip 10.30.1.0 255.255.255.0 10.10.10.1 255.255.255.0
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.30.1.0 255.255.255.0
access-list nonat extended permit ip 10.30.1.0 255.255.255.0 10.10.10.0 255.255.255.0
Hope it helps.
ASKER
Thanks for the response but I still cannot ping my webserver on the dmz 10.10.10.10
ASKER
Any other ideas?
login to your ASA 5510 and type the below command, then post output
packet-tracer input inside icmp 10.30.1.20 8 0 10.10.10.10 detailed
packet-tracer input inside icmp 10.30.1.20 8 0 10.10.10.10 detailed
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Was missing an access group.