03-08-2010 03:47 AM - edited 03-06-2019 10:02 AM
Hi,
On my asa firewall I've got a connection where I specify a static route for the destination ip of 10.138.24.228. However, I've now setup a VPN to the same location however, the destination ip I've been given is 10.92.24.228. The problem I have is our appplications are written to connect to 10.138.24.228 and so if we lose this conneciton we would need to go down the VPN, however, given the VPN device is using different destination ip's this won't work.
Can someone please show me how I can nat the 10.92.24.228 ip so it is masked and shown as 10.138.24.228?
I imagine at the very least in a failover scenario I would have to manually change the static route to point towards the outside interface i.e the VPN, am I right?
Thanks
Dan
03-08-2010 07:54 AM
dan_track wrote:
Hi,
On my asa firewall I've got a connection where I specify a static route for the destination ip of 10.138.24.228. However, I've now setup a VPN to the same location however, the destination ip I've been given is 10.92.24.228. The problem I have is our appplications are written to connect to 10.138.24.228 and so if we lose this conneciton we would need to go down the VPN, however, given the VPN device is using different destination ip's this won't work.
Can someone please show me how I can nat the 10.92.24.228 ip so it is masked and shown as 10.138.24.228?
I imagine at the very least in a failover scenario I would have to manually change the static route to point towards the outside interface i.e the VPN, am I right?
Thanks
Dan
Dan
Assuming you want to NAT it so devices on the inside can send packets to 10.92.24.228 and they get Natted to 10.138.24.228 ?
static (outside,inside) 10.92.24.228 10.238.24.228 netmask 255.255.255.255
As for changing the static route yes you would but the ASA does support route tracking so you may be able to automate this. I say may because it would need testing.
One thing though, i'm assuming your current static route has a next-hop that is reachable from the ASA on a different interface than you want to apply the crypto map ? If they are the same then the traffic will always activate the VPN.
Jon
03-09-2010 06:42 AM
Thanks Jon,
Sorry for the late reply. What I need is essentially the application to connect to 10.138.24.228 via the VPN, so that the application is totally unaware of the 10.92.24.228 ip.
Is that possible?
Thanks
Dan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: