Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
414
Views
0
Helpful
2
Replies

Need help in source and destination translation

laimeitak
Level 1
Level 1

‎07-28-2010 06:24 AM - edited ‎03-11-2019 11:17 AM

Dear all,

     I have some complicated source and destination translation need to do in ASA firewall version 8.2.1, below are the details:

site A 192.168.1.0/24 firewall--------------Site B 192.168.2.0/24 ASA------------Site C 192.168.3.0/24 firewall  or Site D public internet

Site A and B are IPSEC VPN connected, B and C are IPSEC VPN connected.

What I want to acheive is to allow Site A servers to access ftp server in Site C and Site D without making changes to Site A's firewall since those firewalls belong to other partners and it takes very very long time for they to response for any changes. Site B is our company's firewall and we can make any changes on it.

My optimum thinking is: to access ftp server in Site C from Site A, it will ftp to a virtual address in Site B eg. 192.168.2.222 ,

1) then in Site B's firewall it will translate the ftp packet's source to Site B's address eg. 192.168.2.111 ,

2) translate packet's destination from 192.168.2.222 to 192.168.3.121(ftp server)

Access to site D is the same logic except Site B to Site D is normal internet connection.

So  far I can do 1) the source translation  but can't do 2)  , anyone has ideas for that?

Andrew

Labels:
0 Helpful
2 Replies 2

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-28-2010 06:40 AM

Hello,

I am assuming that you are U-Turning the traffic on the ASA i.e. when the

traffic from Site A hits your firewall, you will send it through another

tunnel on the same firewall. With that, you could try the configuration

below:

access-list FTP_Server permit ip host 192.168.3.121 192.168.1.0

255.255.255.0

static (outside,outside) 192.168.2.222 access-list FTP_Server

same-security-traffic permit intra-interface

This will translate 192.168.3.121 to 192.168.2.222 when going to Site A. You

need to make sure that you modify your Crypto ACL's accordingly to

accommodate connections from Site A to 192.168.2.222 and from your site to

Site C.

Hope this helps.

Regards,

NT

0 Helpful

laimeitak
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-29-2010 04:20 AM

Dear NT,

     I have input the three command but still can't get it to work,  What do you mean to " modify your Crypto ACL's accordingly to

accommodate connections from Site A to 192.168.2.222 and from your site to

Site C. " . Since all the three sites has the full subnet set in the vpn's setting and also the ACL list and I am accessing 192.168.2.222 which is part of the site B subnet, so I don't know what to modify.

I also need to have site A to access site D which is an internet ftp server and this task is more urgent to me, it seems more complicated since I have to dynamic source translation for  the site A subnet to site B asa's firewall outside interface.

Before I post this thread, actually I have searched a lot in internet and find some suggestion from internet and also cisco doc but still can't get it to work, I have attached the note I've mark down.

Thank you very much.

Andrew

69735-NAT.txt.zip
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card