I have a question... I'm pretty sure this isn't even possible, but I thought I'd get more opinions.
We need to do some routing on our WAN. Here is our current setup:
We have 3 locations. Each has a T1 coming into a router that is owned and operated by our ISP. The router is plugged into a Pix 515E and our LANs are behind the firewall. Publicly we have a /27 subnet for each location as well.
I have VPNs created between all 3 firewalls for WAN connectivity.
Now here is a similar senario to what I need to do. At one location we have a webserver. There is an access list on the firewall at that location to allow tcp 80 access to it from any host on the outside. I also want to setup a public address at another location for this web server. Traffic would go to the remote firewall and then be routed over the VPN to the web server and back again. Is this possible?
As I said, this isn't the actual senario. This one doen't make much sense, but the routing problem is the same.
How about giving the actual scenario using more generic terms and situations? What you seek can probably be accomplished, but it will probably require you to use an additional interface (even if only logical) on the firewalls to create a logical full mesh configuration.
Do you have a router behind the firewalls? Is your WAN really just a VPN over the Internet?
We have 2 T1s coming into one location (I'll call it location "one"). One goes to the Internet used for all Internet access and WAN (VPN) traffic. 2nd T1 is a private line going to our ASP (ERP system is outsourced). All ERP application traffic goes over this T1. Other two locations access ERP directly over the Internet (https).
For ERP reports to print automatically, they need to be sent directly to the printers. No problem in location "one". Print jobs are sent over the private line. Problem in the other two locations is print jobs would be sent in clear text over the Internet. We would like the print jobs to come over the private line to location "one" and then route the jobs to the printers in the other two locations.
Here's a bit more information on network setup:
Location "one" has a router for each T1 coming in (both ISP property). The two routers and the firewall's outside interface plug into a switch. ASP traffic is routed on the firewall using a ROUTE command.
We have no routers on the inside of the firewall. Just one subnet per location. Small networks.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...