accessing outside IP of NATed services from VPN on same IF?

Unanswered Question
Sep 21st, 2010

We have two datacenters, with an ASA 5510 pair in one (datacenter A) and an ASA 5520

pair in the other (datacenter B).  The 5510 presents multiple web-based services to the Internet via static NAT.  We also have a site-to-site VPN connecting the two datacenters.  Prior to installing the ASA 5510s, we had some open-source managed firewalls which made the same web services Internet-accessible.  To eliminate the need to configure and manage split-horizon DNS, we used the external addresses of DC A to access the web services from DC B.  There were never any connectivity issues.

Since upgrading to the 5510s, we can't access any external addresses on the 5510s from the LAN subnet (behind the 5520s) in DC B.  We have hairpinning/U-turn enabled for the 5510 and 5520s, and we know that works becuase we have remote access users that required it.  The site-to-site VPN tunnels terminate on the same interface to which the web services are NATed.

Is it possible for traffic coming through a VPN tunnel terminating on an ASA to access addresses NATed to the same interface?  If so, what should I be looking for as missing in my configuration?

Some data to illustrate what I mean:

DC B private subnet: 10.0.0.0/24

DC A private subnet: 10.1.0.0/24

DB A public subnet: 2.2.2.0/24

webservice: 10.1.0.10 NAT to 2.2.2.10

webservice: 10.1.0.25 NAT to 2.2.2.25

We need to be able to connect from 10.0.0.1 to 2.2.2.10 and 2.2.2.25.  Both connections fail.  We have to connect to 10.1.0.10 and 10.1.0.25, with separate DNS zones/records required.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Tue, 09/21/2010 - 06:26

Hello,

Most likely on your Crypto ACL, you are missing entries that encrypt traffic from 10.x.x.x subnet to 2.2.2.x subnet. Please try the following on both firewalls:

On DC B Firewall:

access-list permit ip 10.0.0.0 255.255.255.0 2.2.2.0 255.255.255.0

access-list permit ip 10.0.0.0 255.255.255.0 2.2.2.0 255.255.255.0

On DC A Firewall:

access-list permit ip 2.2.2.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list line 1 deny ip host 10.0.0.0 255.255.255.0

access-list line 2 deny ip host 10.0.0.0 255.255.255.0

Hope this helps.

Regards,

NT

Actions

This Discussion