I have a tunnel between our office and colation facility. All external http/s traffic enters the firewall in our office. I need to redirect http traffic entering the outside of the office ASA to the webserver located in the colo over the existing tunnel. Any help is appreciated. I am running 8.2(2) code.
So you want to host a Web server running at a remote location through the main site using an existing L2L VPN connection?
I would imagne the first thing you need is to configure Static NAT or Static PAT for your remote locations server. You should also confirm that you have the setting that enables Hairpinning / U-turn on the "outside" interface.
The above options would do a Static NAT or Static PAT for the server located behind the L2L VPN connection
I am not sure are you planning to use the "outside" interface IP address with Static PAT (Port Forward) or Static NAT with a public IP address that will be dedicated for this server. You should take into consideration that if you use the ASA interface public IP address then the ASA by default uses the port TCP/443 for SSL VPN and ASDM management.
You would also require a Dynamic Policy PAT configuration. You should PAT all the traffic coming from the Internet to a single IP Address before it heads through the L2L VPN so that you wont have to forward all of the servers external traffic through the L2L VPN. The IP address to which you PAT the traffic coming from the Internet could be an IP address configured on the L2L VPN already. For example an unused local IP address from the main sites LAN network that currently uses the L2L VPN
access-list REMOTE-WEB-POLICYPAT remark Dynamic Policy PAT for remote Web server
access-list REMOTE-WEB-POLICYPAT permit tcp any host eq 80
access-list REMOTE-WEB-POLICYPAT permit tcp any host eq 443
The above NAT configuration would do Dynamic PAT for all the Internet source addresses that were contacting the NAT IP address we previously configured for the remote server.
To my understanding the above is the basic things needed to achieve this. One main thing is to remember that after the source address has been translated (Dynamic Policy PAT) and the destination address has been untranslated (Static NAT or Static PAT) , they have to match the current L2L VPN Encryption domain. So make sure the L2L VPN configurations allow for this traffic to be tunneled.
Some naturally depends on your current setup/configuration which we dont know
I created the attached configuration plan based on your config details and some other documentation I pulled from the web.
Can you please take a brief look at my configuration details and see if there is something visibly wrong here?
I added all configurations, and in the end I received the following error:
global address overlaps with mask
Here is a snippit of my ssh session:
ASA# conf t ASA(config)#same-security-traffic permit intra-interface (Note: Already existed, just placed here for reference)
ASA(config)#access-list COLO2OFFICENAT-1 extended permit ip 192.168.79.0 255.255.255.0 host 126.96.36.199 ASA(config)#access-list COLO2OFFICENAT-2 extended permit ip 192.168.79.0 255.255.255.0 host 188.8.131.52
ASA(config)# static (outside,outside) 184.108.40.206 access-list COLO2OFFICENAT-1 global address overlaps with mask ASA(config)# static (outside,outside) 220.127.116.11 access-list COLO2OFFICENAT-2 global address overlaps with mask ASA(config)# ASA(config)# sh log | inc 18.104.22.168 Mar 25 2014 19:05:45: %ASA-6-302013: Built inbound TCP connection 86533163 for outside:192.168.79.200/54564 (192.168.79.200/54564) to outside:22.214.171.124/443 (126.96.36.199/443) Mar 25 2014 19:05:54: %ASA-6-302014: Teardown TCP connection 86532834 for outside:192.168.79.200/54551 to outside:188.8.131.52/443 duration 0:00:30 bytes 0 SYN Timeout Mar 25 2014 19:05:54: %ASA-6-302014: Teardown TCP connection 86532835 for outside:192.168.79.200/54552 to outside:184.108.40.206/443 duration 0:00:30 bytes 0 SYN Timeout Mar 25 2014 19:06:15: %ASA-6-302014: Teardown TCP connection 86533163 for outside:192.168.79.200/54564 to outside:220.127.116.11/443 duration 0:00:30 bytes 0 SYN Timeout ASA(config)#
From packet captures, I am able to see traffic arriving at SITE B, from SITE A.
However, the traffic does not get translated to the Global NAT [18.104.22.168] after it arrives, which is required in order to pass to Site C.
Config details from Site B are noted below, if you have any suggestions, your help is much appreciated!
Below is some of the config data from Site B
ASA Version 8.2(5) ! Interfaces ---------- interface GigabitEthernet0/0 description Outside Interface duplex full nameif outside security-level 0 ip address 22.214.171.124 255.255.255.0 ! interface GigabitEthernet0/1 description Inside Network (192.168.229.0/24) speed 100 duplex full nameif inside security-level 100 ip address 192.168.229.1 255.255.255.0 !
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...