Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Forwarding packets to a remote site through ASA 5510

Hi

I have ASA 5510 (software version 8.2) working as sitetosite vpn endpoint in datacenter 1. I have a server in datacenter 2.

I would like the ASA to forward packets to the server in datacenter 2 transparently so that the clients are unware of the datacenter 2.

So it is:

Clients ---------vpn------> datacenter 1, ASA 5510, public ip 111.111.111.11 ----------> datacenter 2, Server ip 222.222.222.222

I have tried to resolve it with NAT on ASA as follows:

static (WAN,WAN) 111.111.111.111 222.222.222.222 netmask 255.255.255.255

But clients connecting to 111.111.111.111 are not reaching the server at 222.222.222.222 .

The packets get blocked with the following error:

%ASA-3-106014: Deny inbound icmp src WAN:222.222.222.222 dst WAN:111.111.111.111 (type 8, code 0)

I think the problem has to do with asa not translating packets on the same interface. Firewall allows icmp from any address.

Is there any other way to achieve packet forwarding through ASA to the remote server?

Thanks

6 REPLIES
Super Bronze

Forwarding packets to a remote site through ASA 5510

Hi,

I am wondering if you mean that you would want traffic to come from Internet to the DC1 towards the public IP address of 111.111.111.111 and these connections would be forwarded to the DC2 server 222.222.222.22 through a L2L VPN connection between the DC1 and DC2?

Or would the connections simply be going straight back to Internet from DC1 (towards DC2)?

Though I have to say that I have never resorted to such a thing. I have only tested the connectins to a web server through a site which connects to the web server site through a L2L VPN. But have not done it in a real environment.

- Jouni

New Member

Forwarding packets to a remote site through ASA 5510

Hi Jouni

Yes, ideally I would like to set up another vpn , beetween DC1 and DC2, so as you said

I want traffic to come from Internet to the DC1 towards the public  IP address of 111.111.111.111 and these connections would be forwarded  to the DC2 server 222.222.222.22 through a L2L VPN connection between  the DC1 and DC2.

How to achieve such forwarding in ASA ? If not with NAT.

Thanks

Re: Forwarding packets to a remote site through ASA 5510

Actually, i haven't done such things on 8.2, but try to do this:

1. Change nat from this:

static (WAN,WAN) 111.111.111.111 222.222.222.222 netmask 255.255.255.255

to this

static (WAN,WAN) 222.222.222.222 111.111.111.111 netmask 255.255.255.255

2. Make sure, that there's a permits tatement on the ACL of the outside interface for traffic with destination of 222.222.222.222. So there should be something like this:

access-list OUTSIDE_IN extended permit ip any host 222.222.222.222

3. Check that there's same-security-traffic permit intra-interface present in the config;

4. Check that traffic from any to 222.222.222.222 is included to the crypto-ACL

Super Bronze

Forwarding packets to a remote site through ASA 5510

Hi,

Ok, so the first thing you will have to think about is the encryption domain of the existing L2L VPN. Since your aim is to publish a Web server from another site through a L2L VPN connections you have to consider what the source addresses for the Web server connections can be?

It might be that you would need to have the source address for the L2L VPN in DC1 as "any" and naturally on DC2 the destination would be "any".

Though in that case it would probably cause problems if the Web server would need to use the DC2 Internet connections for something. This is because we would have now defined that traffic from the Web server to "any" destination IP address should be tunneled to the L2L VPN.

One other option might be that you actually configure DC1 site so that all incoming traffic from the Internet towards the 111.111.111.111 will have their source address translated to a single IP address (to be decided) before entering the L2L VPN. This would eliminate the need to use the "any" in the L2L VPN configurations because the Web server would see all connections come from a single IP address and therefore would not cause problems for the DC2 Web server IF it needs to access or be accessed through the local DC2 Internet connection.

Judging by your examples it would seem that you are using a 8.2 or older software level. Would you be willing to share some current configurations (with masked public IP addresses) or should I just give you some example configurations?

Most important ones would naturally be current NAT configurations and configuration related to the L2L VPN connection.

- Jouni

New Member

Forwarding packets to a remote site through ASA 5510

Hello

Thanks for the answers!

The statement

same-security-traffic permit intra-interfac

helped. It allowed the packets to be forwarded to the DC2 via ASA.

The nat statement i wrote worked fine after it.

This is without the vpn between ASA and DC2. I'm going to introduce vpn next.

The problem I'm facing now is that although packets forwarded from the clients reach the web server in DC2 , the replies from the webserver go back to the clients directly, i.e. are not routed back via the ASA

Jouni, I think that the source NAT will have to be added on top of it to resolve this problem. So that the source address is translated to the ip of asa before it reaches the webserver.

If you have a config to achieve both the destination and source nat at the same time that would be helpful.

Alternatively, i was thinking to set up some iptables NAT on the webserver so that the packets' destination adress gets translated to asa ip and  goes back to ASA rather than to the clients directly. Not sure if it would be translated again by asa in the end.

I use ASA software 8.2 yes.

Thanks!

Super Bronze

Forwarding packets to a remote site through ASA 5510

Hi,

Without testing this I am not sure if this will work but was thinking if a Dynamic Policy PAT would work

access-list DC1-TO-DC2-POLICYNAT remark Soure Address NAT

access-list DC1-TO-DC2-POLICYNAT permit ip any host 111.111.111.111

nat (outside) 200 access-list DC1-TO-DC2-POLICYNAT

global (outside) 200 interface

- Jouni

307
Views
0
Helpful
6
Replies