07-28-2010 06:24 AM - edited 03-11-2019 11:17 AM
Dear all,
I have some complicated source and destination translation need to do in ASA firewall version 8.2.1, below are the details:
site A 192.168.1.0/24 firewall--------------Site B 192.168.2.0/24 ASA------------Site C 192.168.3.0/24 firewall or Site D public internet
Site A and B are IPSEC VPN connected, B and C are IPSEC VPN connected.
What I want to acheive is to allow Site A servers to access ftp server in Site C and Site D without making changes to Site A's firewall since those firewalls belong to other partners and it takes very very long time for they to response for any changes. Site B is our company's firewall and we can make any changes on it.
My optimum thinking is: to access ftp server in Site C from Site A, it will ftp to a virtual address in Site B eg. 192.168.2.222 ,
1) then in Site B's firewall it will translate the ftp packet's source to Site B's address eg. 192.168.2.111 ,
2) translate packet's destination from 192.168.2.222 to 192.168.3.121(ftp server)
Access to site D is the same logic except Site B to Site D is normal internet connection.
So far I can do 1) the source translation but can't do 2) , anyone has ideas for that?
Andrew
07-28-2010 06:40 AM
Hello,
I am assuming that you are U-Turning the traffic on the ASA i.e. when the
traffic from Site A hits your firewall, you will send it through another
tunnel on the same firewall. With that, you could try the configuration
below:
access-list FTP_Server permit ip host 192.168.3.121 192.168.1.0
255.255.255.0
static (outside,outside) 192.168.2.222 access-list FTP_Server
same-security-traffic permit intra-interface
This will translate 192.168.3.121 to 192.168.2.222 when going to Site A. You
need to make sure that you modify your Crypto ACL's accordingly to
accommodate connections from Site A to 192.168.2.222 and from your site to
Site C.
Hope this helps.
Regards,
NT
07-29-2010 04:20 AM
Dear NT,
I have input the three command but still can't get it to work, What do you mean to " modify your Crypto ACL's accordingly to
accommodate connections from Site A to 192.168.2.222 and from your site to
Site C. " . Since all the three sites has the full subnet set in the vpn's setting and also the ACL list and I am accessing 192.168.2.222 which is part of the site B subnet, so I don't know what to modify.
I also need to have site A to access site D which is an internet ftp server and this task is more urgent to me, it seems more complicated since I have to dynamic source translation for the site A subnet to site B asa's firewall outside interface.
Before I post this thread, actually I have searched a lot in internet and find some suggestion from internet and also cisco doc but still can't get it to work, I have attached the note I've mark down.
Thank you very much.
Andrew
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: