Hi MHM

Thank you for responding.
I want to allow traffic from the DMZ Zone where my server sits to OUTSIDE
Zone.
Kindly assist with the correct ACL to apply per the early configuration I
shared here. Thank you

DI

access-list Zone-VPN extended permit ip object OBJ-SITE-ASA object OBJ-SITE-PARTNER
access-list Zone-VPN extended permit ip object OBJ-SITE-PARTNER object OBJ-SITE-ASA

!

access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-ASA object OBJ-SITE-PARTNER

 

Two first ACL line for traffic from lan to.remote and from remote to lan pass Zone.

Last acl line for interest traffic which ypu use in crypto map.

MHM

ok

access-list Zone-VPN extended permit ip object OBJ-SITE-ASA object OBJ-SITE-PARTNER <- this need from dmz to outside 
access-list Zone-VPN extended permit ip object OBJ-SITE-PARTNER object OBJ-SITE-ASA <- this need from outside to dmz 

And share last config of ipsec ikev2 

MHM

 

Hi MHM,

Here is the current running IPSEC running

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 200.100.2.2 255.255.255.252
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 80
ip address 10.2.100.1 255.255.255.0
!

crypto ikev2 enable outside
!
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 20
lifetime seconds 86400
!
object network OBJ-SITE-ASA
Host 10.2.100.150
!
object network OBJ-SITE-PARTNER
host 196.45.100.101
!
object network OBJ-SITE-ASA-NAT
Host 201.100.1.10
!
access-list dmz_access_in extended permit ip object OBJ-SITE-ASA object OBJ-SITE-PARNER log
access-group dmz_access_in in interface DMZ
!
access-list Zone-VPN extended permit ip object OBJ-SITE-ASA object OBJ-SITE-PFSENSE

access-list Zone-VPN extended permit ip object OBJ-SITE-PARTNERobject OBJ-SITE-ASA

!

nat (DMZ,outside) source static OBJ-SITE-ASA OBJ-SITE-ASA destination static OBJ-SITE-PARTNER OBJ-SITE-PARTNER no-proxy-arp route-lookup

!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-ASA object OBJ-SITE-PARTNER
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-PARTNER object OBJ-SITE-ASA
!
tunnel-group 100.2.100.1 type ipsec-l2l
tunnel-group 100.2.100.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key eve2partner
ikev2 local-authentication pre-shared-key eve2partner
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
protocol esp encryption aes-256
protocol esp integrity sha-256
!
crypto map CRYPTO-MAP 10 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 10 set peer 100.2.100.1
crypto map CRYPTO-MAP 10 set ikev2 ipsec-proposal VPN-TRANSFORM
!
crypto map CRYPTO-MAP interface outside
!

there is confuse in ACL to permit traffic and used for IPsec so I draw below topology 

ok