L2L ipsec tunnel (with hairpin) config question - inbound external access to host in remote 'spoke'
Hi - L2L Ipsec config question:
I have a working L2L IPSec tunnel between two sites "HomeOffice" and "Remote" (identical Cisco 5505 ASAs). Due to security considerations at the Remote site (co-located at a customer facility), *all* non-local traffic at the Remote site is constrained within the L2L tunnel; and any traffic bound for an Internet site is routed back to the "HomeOffice" and then hairpinned to the Internet. (inefficient, but it's a constraint we have to work with)
My question is this: Is it possible to create an Internet-facing SNAT address at HomeOffice that will map to an inside address of a host in the Remote site? Such that I could open (for e.g.,) an ssh port that would permit an inbound connection from the HomeOffice ASA all the way through the L2L tunnel to a host in the Remote office.
Currently I have a 'nonat' statement in place such that traffic between HomeOffice and Remote ASAs isn't translated at all; it's not clear from the documentation (or example configs) if I can
-create a SNAT that maps a Remote/inside host (192.168.1.1., say) to a HomeOffice/inside addresss (10.10.1.1) for the traffic passsing through then L2L tunnel and then,
-create an SNAT on the HomeOffice ASA that maps the 10.10.1.1 address to an internet facing address (such that I can then bind an ACL permitting inbound SSH traffic).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :