Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1211
Views
0
Helpful
1
Replies

Site to site VPN

Go to solution
sfatmi123
Level 1
Level 1

‎07-12-2012 12:44 PM - edited ‎02-21-2020 04:41 AM

I've 2 ASDM 5510 connected with VPN Tunnel IPSEC Site-to-Site.

subnet A and Subnet B.

subnet A is our main site and Subnet B is our resource site.

Here is our setting:

subnet A:

Outside interface- default ISP Internet

Inside interface - default local lan. 192.168.1.102/24

Subnet B

Outside interface (ISP Internet)

inside interface local lan 10.1.0.1/16

Now I want to redirect traffic that comes over the outside interface (internet) to a specific IP on [subnet A] (192.168.1.102) to an IP on [Subnet B] (10.1.0.1).

Is it possible?

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎07-25-2012 03:07 AM

Hi Bro

This cannot be achieved. I made a mistake by saying yes earlier, unless you were to use the DYNAMIC OUTSIDE NAT method. This method will complicate everything, and will mess up your whole Cisco FW configuration. I don’t know anyone that has done this before in my life.

The reason why this can't work is because, in the event an outside user were to access the Public IP that's mapped statically in Site A FW to 192.168.1.102, this traffic will then be-routed to Site B FW via the existing site-to-site VPN, which won't work. This is because in your VPN ACL, the network addresses specified are only 192.168.1.0/24 and 10.1.0.0/24, and nothing else.

What I would suggest you to do is, perform a static NAT in Site B FW, and get all Internet users to speak to that Public IP Address instead. This makes things much easier and simpler.

P/S: If you think this comment is helpful, please do rate them nicely.

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎07-25-2012 03:07 AM

Hi Bro

This cannot be achieved. I made a mistake by saying yes earlier, unless you were to use the DYNAMIC OUTSIDE NAT method. This method will complicate everything, and will mess up your whole Cisco FW configuration. I don’t know anyone that has done this before in my life.

The reason why this can't work is because, in the event an outside user were to access the Public IP that's mapped statically in Site A FW to 192.168.1.102, this traffic will then be-routed to Site B FW via the existing site-to-site VPN, which won't work. This is because in your VPN ACL, the network addresses specified are only 192.168.1.0/24 and 10.1.0.0/24, and nothing else.

What I would suggest you to do is, perform a static NAT in Site B FW, and get all Internet users to speak to that Public IP Address instead. This makes things much easier and simpler.

P/S: If you think this comment is helpful, please do rate them nicely.

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card