Hi folks, hoping someone out there can point out why I am having a few difficulties on my network.
We have 2 seperate internet connections protected by ASA Firewalls, one in our main datacenter and another in our DR datacenter. I have drawn a very simplistic diagram at http://postimg.org/image/qcmrulnrx/please take a look.
I have a problem when I try to translate one of our public IP addresses being routed to our site B firewall. Say I have a website on server A, internal address 192.168.12.51.
I want to make it publically available via one of the IP's currently routed to our DR firewall, so i create a rule to Xlate from 118.220.X.X to 192.168.12.51
However when i try to initiate a connection from an external machine - say 68.232.X.X and examine the traffic using ASDM i can see the built inbound tcp connection from the public IP to the internal IP is ok. But when i then filter based on the internal IP of the server i can see the SYN timeout error.
Teardown TCP connection 20738497 for outside:68.232.X.X/40717 to inside:192.168.12.51/80 duration 0:00:30 bytes 0 SYN Timeout
When I change the Public IP to one being routed to Firewall A, it works with no issues.
A couple of important points, which could be affecting this (perhaps there is a circular routing issue here?)
The catalyst 3750 has a default route to pass any traffic that it doesnt have a routing table entry for to the firewall in site A
Server A's default gateway is to the VLAN12 interface on the catalyst 3750
The catalyst 3650 (site B) has some static routes in there to route the 118.220.X.X/29 network to FIrewall B (184.108.40.206)
If your server at Site A has its default route towards the Site A firewall and your are trying to NAT the Server to a Site B public IP address, this is what will happen
A user on the Internet connects to the Site B public IP address of Site A server
TCP connections TCP SYN arrives on the server at Site A
Site A server replies with TCP SYN ACK but sends this through Site A local firewall
Site A firewall blocks the TCP SYN ACK with a message "Deny (no connection)" or something to that direction.
In other words the server cant negotiate the TCP connection up since there is asymmetric routing. To use the Site B public IP address for Site A server you would probably have to configure somekind of Policy Based Routing on Site A LAN router to forward the servers traffic to Site B while rest of the server network at Site A use its normal Site A default gateway.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :