Hi guys, I have an issue here hopefully you can point me in the right direction.
We have a router (dmz_int172.x.x.4) on our DMZ network that has a VPN to a remote site. On that remote site is a system (int_172.17.x.x) we access using telnet, port 23.
Currently our clients connect via a MS firewall client redirecting that telnet traffic to our ISA server (internal_int 192.168.x.x, dmz_int172.x.x.10) which then routes traffic for 172.17.x.x to the dmz router.
I would like to decommission our ISA server and handle this via our default gateway ASA 5510. (internal_int 192.168.x.x, dmz_int 172.x.x.1, external int 116.x.x.x)
I need to route the traffic hitting its internal interface heading for 172.17.x.x to 172.x.x.4
I am not sure if I can understand the whole topology of the network completely but the first thing that came to my mind is naturally the fact that you are probably using a L2L VPN that connects 2 different sites. Is the source address visible to the VPN router the same or from the same network in both cases?
I mean it might be that with the different setup the connections are coming to the VPN router with a wrong source address that doesnt match the VPN rules and therefore ends in SYN Timeout.
Yes, this could be the problem I think. Could I NAT the connections hitting the internal interface of the ASA to appear as if they are coming from the old external interface of the ISA server (172.x.x.10), sending them out of the dmz interface 172.x.x.1 and still route them to the next hop 172.x.x.4?
I wouldnt suggest that. You cant have the same IP address used on 2 different devices at the same time. You would start facing problems with traffic forwarding.
As you said I guess you dont have access to the router that does the VPN so we cant really confirm what the VPN settings are.
Usually though I would imagine that whole networks/subnets are defined as the source address for a L2L VPN connection. So you might be able to NAT to some free IP address on that same network and see if the connections go through.
Naturally this isnt the best approach. It would be better to have the exact information about your network setup and naturally the VPN configurations also to be able to tell what is required for the connections to work.
When the packet arrives at the internal_int of the ASA, does NAT occur first. Then as the Adelaide_RFS destination obj matches the 172.17.x.x route statement the packet would be passed to 172.x.x.4 by the dmz_int ?
Are you doing Static Policy NAT for a single host with the above configuration?
Or would you be doing Dynamic Policy NAT for several hosts on the "inside" network?
Normally the format for Dynamic Policy PAT/NAT would be
nat (inside,dmz) source dynamic
In either case I think the NAT configuration will decide the interface to which the traffic is to be forwarded. With the "packet-tracer" command you will first see a "UN-NAT" Phase which basically states what interface is chosen towards the destination network.
Though again, I am not sure if the above would work in your setup. I mean there is no problem with the configuration format. There might still be some other NAT configurations on your device that might override this unless you enter this NAT command in the right place
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...