Nat and route question

Unanswered Question
Mar 8th, 2010

Hi,

On my asa firewall I've got a connection where I specify a static route for the destination ip of 10.138.24.228. However, I've now setup a VPN to the same location however, the destination ip I've been given is 10.92.24.228. The problem I have is our appplications are written to connect to 10.138.24.228 and so if we lose this conneciton we would need to go down the VPN, however, given the VPN device is using different destination ip's this won't work.

Can someone please show me how I can nat the 10.92.24.228 ip so it is masked and shown as 10.138.24.228?

I imagine at the very least in a failover scenario I would have to manually change the static route to point towards the outside interface i.e the VPN, am I right?

Thanks

Dan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 03/08/2010 - 07:54

dan_track wrote:

Hi,

On my asa firewall I've got a connection where I specify a static route for the destination ip of 10.138.24.228. However, I've now setup a VPN to the same location however, the destination ip I've been given is 10.92.24.228. The problem I have is our appplications are written to connect to 10.138.24.228 and so if we lose this conneciton we would need to go down the VPN, however, given the VPN device is using different destination ip's this won't work.

Can someone please show me how I can nat the 10.92.24.228 ip so it is masked and shown as 10.138.24.228?

I imagine at the very least in a failover scenario I would have to manually change the static route to point towards the outside interface i.e the VPN, am I right?

Thanks

Dan

Dan

Assuming you want to NAT it so devices on the inside can send packets to 10.92.24.228 and they get Natted to 10.138.24.228 ?

static (outside,inside) 10.92.24.228 10.238.24.228 netmask 255.255.255.255

As for changing the static route yes you would but the ASA does support route tracking so you may be able to automate this. I say may because it would need testing.

One thing though, i'm assuming your current static route has a next-hop that is reachable from the ASA on a different interface than you want to apply the crypto map ? If they are the same then the traffic will always activate the VPN.

Jon

dan_track Tue, 03/09/2010 - 06:42

Thanks Jon,

Sorry for the late reply. What I need is essentially the application to connect to 10.138.24.228 via the VPN, so that the application is totally unaware of the 10.92.24.228 ip.

Is that possible?

Thanks

Dan

Actions

This Discussion