cisco asa-asa tunnel from dmz port on one side - same subnets on both sides

This is a variation on the "same subnet on the inside on both sides of a tunnel".

I am not getting any crypto isa (deb crypto isa 40) when pinging from host in SiteA dmz to inside host on Site B.

(public ip's changed)

Site A

Site B

Hosts in Site B need to access a host in dmz at Site A (
However, the Site A has a connected route for

I'm using the typical solution to NAT the dmz subnet on Site A and the inside on Site B.

Site A
access-list acl_nat_siteb permit ip

access-list acl_crypto_siteb permit ip

static (dmz,outside) access-list acl_nat_siteb

crypto map map_siteb match address acl_crypto_siteb

Site B
access-list acl_nat_sitea permit ip

access-list acl_crypto_sitea permit ip

static (dmz,outside) access-list acl_nat_siteb

crypto map map_siteb match address acl_crypto_sitea
Who is Participating?
SepistConnect With a Mentor Commented:
Re-reading your OP it sounds like phase 2 isn't evne building (so if you do "show crypto ipsec sa" you don't see anything). From site A you may want to run this through packet tracer and see if it drops or accepts:

"packet-tracer input inside tcp 555 80 detailed"

You can paste the results here and I can look at it if it doesn't make sense.
You're not accidentally doing NAT exemption are you? If you can post the sanitized config of each I can go through it real quick and verify NAT/Policy NAT is correct.
snowdog_2112Author Commented:
there is a nat exemption on that DMZ port, but not for the tunnel.  I need that to exempt traffic from the dmz into the inside, and to one other dmz port defined on the asa (

nat (dmz) 0 access-list acl_dmz_nonat

acl_dmz_nonat permit ip
acl_dmz_nonat permit ip

Would I need to also static map in place of the nat exemption?

static (dmz,inside) access-list acl_dmz_inside
static (dmz,dmz2) access-list acl_dmz_dmz2

acl_dmz_inside permit ip
acl_dmz_dmz2 permit ip
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

No since they're not part of the encryption traffic it wouldn't be necessary
snowdog_2112Author Commented:
I made that change anyways.  there is no "nat (dmz,outside) 0" of any kind.  There are other nat 0's for other dmz ports but they are also acl-based.

The remote side too, with no dmz, does not show any crypto traffic.  I removed the nat 0 on that side as well.

This is Site B - the slightly less complex config.  This does not generate any crypto isa debugs when I "ping inside".

(I am external to both devices and only have ssh access to a device in the dmz at Site A - so I can try to ping from to an internal IP at Site B - that doesn't generate crypto debug either).

ASA Version 8.2(5)
hostname mmasa5505
enable password cLY95rSlw5/gj3iX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
clock timezone GMT 0
dns domain-lookup outside
dns server-group DefaultDNS
access-list acl_crypto_ibs extended permit ip
access-list in.outside extended permit icmp any any echo-reply
access-list acl_nat_inside_ibs extended permit ip
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
global (outside) 1 interface
nat (inside) 1
static (inside,outside) tcp interface www www netmask
static (inside,outside)  access-list acl_nat_inside_ibs
access-group in.outside in interface outside
route outside 1

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address acl_crypto_ibs
crypto map outside_map 1 set peer
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
ssh inside
ssh timeout 30
management-access inside
dhcpd dns
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *****
You don't have any ACL's configured, are you allowing VPN traffic via the "sysopt connection permit-vpn" command?
snowdog_2112Author Commented:
I'm not getting phase 1 or phase 2.

The packet trace on Site B is dropped at the VPN step - after it NAT's to the "made-up" address.  It seems like the acl_crypto_ibs is not coming up with a match.  

So it NAT's to in the previous steps.  Let me know if you need the entire packet trace - I'm editing the IP's so the less I have to edit, the less likely I am to make a mistake here.

Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xca1e5180, priority=70, domain=encrypt, deny=false
        hits=1, user_data=0x0, cs_id=0xc9d70848, reverse, flags=0x0, protocol=0
        src ip=, mask=, port=0
        dst ip=, mask=, port=0, dscp=0x0
I noticed earlier you are testing by doing "ping inside". You should be testing from a workstation on the inside and not from the ASA itself as typically you cannot ping across a VPN when sourcing from the ASA (there are ways around this but let's just stick to basics for testing)
snowdog_2112Author Commented:
What is the "way around" pinging from the ASA into a tunnel?  That would be helpful.

I must have had a typo somewhere, or an overlapping nat on the Site A side.  I moved the connection to one of the other named dmz ports in a different local subnet (, and re-configured using the same principles, including the "nat (dmz4,outside) access-list acl_nat_remote"...

The tunnel came up and the packet-tracer on Site B no longer drops the packet - I'm guessing that means it was dropping it before because the tunnel was not up, and the "ping inside" from Site B was not enough to bring up the tunnel.

I still can't ping across, but the tunnel is up, which is my OP.

snowdog_2112Author Commented:
Not the solution directly, but led me to rebuild the config on Site A and move the NAT to a different named dmz port.
The management-access interface command allows you to ping the ASA's inside interface
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.