Site to site VPN

Answered Question
Jul 12th, 2012

I've 2 ASDM 5510 connected with VPN Tunnel IPSEC Site-to-Site.

subnet A and Subnet B.

subnet A is our main site and Subnet B is our resource site.

Here is our setting:

subnet A:

Outside interface- default ISP Internet

Inside interface - default local lan. 192.168.1.102/24

Subnet B

Outside interface (ISP Internet)

inside interface local lan 10.1.0.1/16

Now I want to redirect traffic that comes over the outside interface (internet) to a specific IP on [subnet A] (192.168.1.102) to an IP on [Subnet B] (10.1.0.1).

Is it possible?

Thanks

I have this problem too.
0 votes
Correct Answer by Ramraj.Sivagnanam about 1 year 8 months ago

Hi Bro

This cannot be achieved. I made a mistake by saying yes earlier, unless you were to use the DYNAMIC OUTSIDE NAT method. This method will complicate everything, and will mess up your whole Cisco FW configuration. I don’t know anyone that has done this before in my life.

The reason why this can't work is because, in the event an outside user were to access the Public IP that's mapped statically in Site A FW to 192.168.1.102, this traffic will then be-routed to Site B FW via the existing site-to-site VPN, which won't work. This is because in your VPN ACL, the network addresses specified are only 192.168.1.0/24 and 10.1.0.0/24, and nothing else.

What I would suggest you to do is, perform a static NAT in Site B FW, and get all Internet users to speak to that Public IP Address instead. This makes things much easier and simpler.

P/S: If you think this comment is helpful, please do rate them nicely.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
Ramraj.Sivagnanam Wed, 07/25/2012 - 03:07

Hi Bro

This cannot be achieved. I made a mistake by saying yes earlier, unless you were to use the DYNAMIC OUTSIDE NAT method. This method will complicate everything, and will mess up your whole Cisco FW configuration. I don’t know anyone that has done this before in my life.

The reason why this can't work is because, in the event an outside user were to access the Public IP that's mapped statically in Site A FW to 192.168.1.102, this traffic will then be-routed to Site B FW via the existing site-to-site VPN, which won't work. This is because in your VPN ACL, the network addresses specified are only 192.168.1.0/24 and 10.1.0.0/24, and nothing else.

What I would suggest you to do is, perform a static NAT in Site B FW, and get all Internet users to speak to that Public IP Address instead. This makes things much easier and simpler.

P/S: If you think this comment is helpful, please do rate them nicely.

Actions

Login or Register to take actions

This Discussion

Posted July 12, 2012 at 12:44 PM
Stats:
Replies:1 Avg. Rating:5
Views:751 Votes:0
Shares:0
Tags: vpn, site
+

Related Content

Discussions Leaderboard