I have some complicated source and destination translation need to do in ASA firewall version 8.2.1, below are the details:
site A 192.168.1.0/24 firewall--------------Site B 192.168.2.0/24 ASA------------Site C 192.168.3.0/24 firewall or Site D public internet
Site A and B are IPSEC VPN connected, B and C are IPSEC VPN connected.
What I want to acheive is to allow Site A servers to access ftp server in Site C and Site D without making changes to Site A's firewall since those firewalls belong to other partners and it takes very very long time for they to response for any changes. Site B is our company's firewall and we can make any changes on it.
My optimum thinking is: to access ftp server in Site C from Site A, it will ftp to a virtual address in Site B eg. 192.168.2.222 ,
1) then in Site B's firewall it will translate the ftp packet's source to Site B's address eg. 192.168.2.111 ,
2) translate packet's destination from 192.168.2.222 to 192.168.3.121(ftp server)
Access to site D is the same logic except Site B to Site D is normal internet connection.
So far I can do 1) the source translation but can't do 2) , anyone has ideas for that?
Re: Need help in source and destination translation
I have input the three command but still can't get it to work, What do you mean to " modify your Crypto ACL's accordingly to
accommodate connections from Site A to 192.168.2.222 and from your site to
Site C. " . Since all the three sites has the full subnet set in the vpn's setting and also the ACL list and I am accessing 192.168.2.222 which is part of the site B subnet, so I don't know what to modify.
I also need to have site A to access site D which is an internet ftp server and this task is more urgent to me, it seems more complicated since I have to dynamic source translation for the site A subnet to site B asa's firewall outside interface.
Before I post this thread, actually I have searched a lot in internet and find some suggestion from internet and also cisco doc but still can't get it to work, I have attached the note I've mark down.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :