An unusual but very interesting question on accessing Internet after passing through 2 Firewalls for the DR site. Please find enclosed the diagram depicting the network.
Both firewalls on Main site and DR site are connected via a Site-to-Site VPN.
The Main site has Internet access. The DR site needs Internet access through the Main site. The Branch VLAN interface of Main site ASA 5540 connects to the DMZ interface of the ASA 5530 in DR site (Since there were few interfaces available, I had to use VLAN interface).
The Site-to-Site VPN tunnel is brought up whenever inside network of one site tries to reach inside network of other site. Though the Service provider provides a VPN, we still rely on our own VPN.
All inside networks of main site are PAT'ed to the outside interface IP for Internet access.
Now, can you please help me know the configuration checklist for DR access to Internet? I have added a few. If there is anything further required, please let me know.
A. DR site
1. Add Internet traffic (Source: 10.50.1.0 / 24, Destination: any) to the interesting traffic definition to bring up the VPN tunnel
2. Add a default route on DR site ASA to point to the MPLS IP of Service Provider.
3. Do a nonat for all Internet traffic on the ASA (nat 0 10.50.1.0 255.255.255.0 any)
4. COnfigure access list and apply it on inside direction of DMZ interface. The access list is to allow all traffic from any (Internet) to 10.50.1.0(Inside network)
B. Main site
1. Configure access list (Permit ip 10.50.1.0 255.255.255.0 any) and associate it with Branches VLAN interface (inside direction)
2. Add a translation for DR site : nat (BRANCHES) 1 10.50.1.0 255.255.255.0 and use an associating global statement
I would also like to know if there is any way to keep the IPSec VPN tunnel up and running all the time?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :