01-29-2009 11:19 PM - edited 03-11-2019 07:44 AM
Hi,
I have two networks 1&2. Both have separate internet connections .
ASA1 in network1 has three interfaces (inside/192.168.1.0/24) dmz (172.16.1./24) and outside (56.*.*.*/28). Its DMZ has connectivity to a layer 3 switch of second network network2. Network2 has some servers with public IP 210.*.*.23 .with dns name mywebsite.com and corresponding private IP 10.10.128.121
Right now when a host in 192.168.1.0/24 requests mywebsite.com or 210.*.*.23 server , the traffic routes through the internet causing the wastage of internet bandwidth .
Could anyone please help me to direct this traffic (i e all traffic from 192.168.1.0/24 to mywebsite.com or 210.*.*.23) through the DMZ of the ASA to the layer 3 switch
This layer3 switch in network2 is behind the ASA2 so the traffic to 210.*.*.23 has to be natted to 10.10.128.121 also.
Your help is highly appreciated.
Regards
01-30-2009 12:36 AM
Hi,
First of all, you need static routes (on both of your ASAs and you layer 3 switches).
You will also need proper access rules to allow this.
One more thing, you will need NAT exclude for packets moving between the 2 networks.
If you need more details, please attach a diagram of your network.
Cheers,
Muath
01-30-2009 01:58 AM
Hi Mauth,
Thanks for your response. I have added access-list & routes but my concern is how to nat my Destination PublicIP(210.*.*.23) to 10.10.128.121 in ASA1 and divert the that traffic through its DMZ.
Regards
Jithesh
01-30-2009 02:48 AM
Hi Jithesh,
Let me ask u a question, ror the 210.*.*.* network, are the public IP addresses directly assigned to the servers? or they have private IP addresses and statically NATed to public IPs on ASA2?
01-30-2009 03:01 AM
Hi mauth
They have private IP addresses and statically NATed to public IPs on ASA2.
So can we nat the DestinationIP( 210.*.*.* )to 10.10.128.121 in ASA1 ?
Regards
Jithesh
01-30-2009 03:13 AM
No need,
is simple, do a NAT exclude on both firewalls so that traffic between the 192.168.1.0/24 and 10.10.128.0/24 doesn't get NATed and all traffic and both networks will be able to connect using their private IP addresses.
Cheers,
01-30-2009 03:19 AM
I am sorry. I could not express myself.
ASA1 is connected to a layer3 switch which is behind the ASA2. So this traffic will not pass throgh ASA2.
Thanks
01-30-2009 03:31 AM
Since traffic will not be passing thru ASA2, then its enough to do NAT exclude on ASA1.
NAT exclude shall look like something this:
access-list nat-exclude-acl line 1 extended permit ip 192.168.1.0 255.255.255.0 10.10.128.0 255.255.255.0
nat (inside) 0 access-list nat-exclude-acl
On ASA1, you also need to add a static route that looks something like this:
route DMZ 10.10.128.0 255.255.255.0 X
where X is the ip address of the layer 3 switch (the next hop).
On the layer 3 switch, you will need a static route that looks like this:
IP route 192.168.1.0 255.255.255.0 Y
where Y is the IP address of the DMZ interface on ASA1 (next hop)
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide