Route unecrypted traffic back out a VPN

Unanswered Question
May 5th, 2010
User Badges:

We currently have a set of servers that are up and running at a Colo facility.  We are in the process of moving the operation to another Colo facility.  We currently have a site-to-site VPN between the old and the new Colos.    The firewalls in use at both sites are ASA 5510s.

What I am being asked to do is as servers are moved to the new location to take the current NATs and direct them to an address that would take it across the VPN to the new site.

I know that I can take inbound VPN traffic and hairpin it to another tunnel but in this case we are taking non-tunneled traffic and trying to put it back out the same interface on the VPN.  My one thought is to take an ASA 5505 that we have an move the NATS to it mapping those to the new addresses and then setting a route from the 5505 to point back towards the 5510 for the new colo subnet.

It would be nice to do it within the one firewall but may not be possible and also haven't been able to play with my workaround so I don't know the caveats with that plan yet either.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Wed, 05/05/2010 - 07:38
User Badges:
  • Green, 3000 points or more


You can re-route back out the same interface on the ASA encrypted traffic from a VPN tunnel into another VPN tunnel, or you can also do it with clear-text traffic.

It's a matter of having the correct NAT, routes and crypto configuration along with the same security permit intra-interface command.


mwkirk Wed, 05/05/2010 - 09:01
User Badges:

I've done it with VPN but never had success doing it with in the clear.  In my scenario, clear to clear might work for me but what would a NAT statement look like?

I would be trying to do something like a

static (Outside,Outside) Old-Colo-Address New-Colo-Address netmask

I don't think that would work.

Federico Coto F... Wed, 05/05/2010 - 09:15
User Badges:
  • Green, 3000 points or more

Now that you mentioned it, it seems that the same-security-permit intra-interface will work for VPN traffic to be either encrypted through another

tunnel or send in the clear to the Internet.

Anyway, I thought it also worked for receiving and re-routing clear text traffic.

The nat statement might look like this:

nat (outside) 1 x.x.x.x mask

global (outside) 1 interface

The STATIC NAT should also work.



This Discussion