How do you get site-to-site VPN from inside and dmz1?

[captaintuba]

I've been able to get a site-to-site VPN set up OK.
Each inside network can see the other inside network.
(H.Q. to ISP)

We have just added a dmz at our HQ site for web site staging and testing.

Now I need to allow one of the servers on the DMZ to connect to the ISP network using the VPN.

Is it just a questions of:
1. adding another line on the crypto map match address ACL
2. adding another line to the NO-NAT acl
3. telling the ISP to allow in traffic from our DMZ subnet, or better still to restrict it to one node.

1.
current acl

access-list 90 permit ip ins.ide.net.0 255.255.255.0 host ISP.ISP.ISP.170

proposed extra acl

access-list 90 permit ip dmz.dmz.dmz.0 255.255.255.0 host ISP.ISP.ISP.170

crypto map ISP 20 match address 90

2. proposed extra line

access-list NO-NAT-ACL permit ip dmz.dmz.dmz.0 255.255.255.0 host ISP.ISP.ISP.170

nat (inside) 0 access-list NO-NAT-ACL

thanks C.T.

 

[themut]

looks like you've figure it out yourself Since it is only a server on the DMZ I would use hots dmz.dmz.dmz.dmz on both ACLs instead. And don't forget to issue a clear xlate after you configure the two ACL entries.

 

[captaintuba]

Thanks Mut,
I've already got the dmz.dmz.dmz.dmz version of code ready to go. I have to do this at 06:00 tomorrow before the early shift get in :-(
Thanks for the

clear xlate

reminder too.
C.T.