cisco asa-asa tunnel from dmz port on one side - same subnets on both sides
Posted on 2012-09-14
This is a variation on the "same subnet on the inside on both sides of a tunnel".
I am not getting any crypto isa (deb crypto isa 40) when pinging from host in SiteA dmz to inside host on Site B.
(public ip's changed)
Hosts in Site B need to access a host in dmz at Site A (192.168.7.10).
However, the Site A has a connected route for 192.168.1.0/24.
I'm using the typical solution to NAT the dmz subnet on Site A and the inside on Site B.
access-list acl_nat_siteb permit ip 192.168.7.0 255.255.255.0 10.155.233.0 255.255.255.0
access-list acl_crypto_siteb permit ip 10.222.111.0 255.255.255.0 10.155.233.0 255.255.255.0
static (dmz,outside) 10.222.111.0 access-list acl_nat_siteb
crypto map map_siteb match address acl_crypto_siteb
access-list acl_nat_sitea permit ip 192.168.1.0 255.255.255.0 10.222.111.0 255.255.255.0
access-list acl_crypto_sitea permit ip 10.155.233.0 255.255.255.0 10.222.111.0 255.255.255.0
static (dmz,outside) 10.155.233.0 access-list acl_nat_siteb
crypto map map_siteb match address acl_crypto_sitea