cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
208
Views
0
Helpful
1
Replies

Accessing Internet from DR site through main site

gautamzone
Level 1
Level 1

Hi friends,

An unusual but very interesting question on accessing Internet after passing through 2 Firewalls for the DR site. Please find enclosed the diagram depicting the network.

Both firewalls on Main site and DR site are connected via a Site-to-Site VPN.

The Main site has Internet access. The DR site needs Internet access through the Main site. The Branch VLAN interface of Main site ASA 5540 connects to the DMZ interface of the ASA 5530 in DR site (Since there were few interfaces available, I had to use VLAN interface).

The Site-to-Site VPN tunnel is brought up whenever inside network of one site tries to reach inside network of other site. Though the Service provider provides a VPN, we still rely on our own VPN.

All inside networks of main site are PAT'ed to the outside interface IP for Internet access.

Now, can you please help me know the configuration checklist for DR access to Internet? I have added a few. If there is anything further required, please let me know.

A. DR site

1. Add Internet traffic (Source: 10.50.1.0 / 24, Destination: any) to the interesting traffic definition to bring up the VPN tunnel

2. Add a default route on DR site ASA to point to the MPLS IP of Service Provider.

3. Do a nonat for all Internet traffic on the ASA (nat 0 10.50.1.0 255.255.255.0 any)

4. COnfigure access list and apply it on inside direction of DMZ interface. The access list is to allow all traffic from any (Internet) to 10.50.1.0(Inside network)

B. Main site

1. Configure access list (Permit ip 10.50.1.0 255.255.255.0 any) and associate it with Branches VLAN interface (inside direction)

2. Add a translation for DR site : nat (BRANCHES) 1 10.50.1.0 255.255.255.0 and use an associating global statement

I would also like to know if there is any way to keep the IPSec VPN tunnel up and running all the time?

Thanks a lot

Gautam

1 Reply 1

gautamzone
Level 1
Level 1

Hi friends,

Sorry if my post was too lengthy. But I just wanted to make sure that I give you the full picture.

Anyways, to make it short, I just wanted to know what are the requirements for a host to access Internet after passing through 2 firewalls connected via Site-to-Site VPN.

Thanks a lot

Gautam

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: