10-15-2010 03:49 PM - edited 02-21-2020 04:54 PM
Hi - L2L Ipsec config question:
I have a working L2L IPSec tunnel between two sites "HomeOffice" and "Remote" (identical Cisco 5505 ASAs). Due to security considerations at the Remote site (co-located at a customer facility), *all* non-local traffic at the Remote site is constrained within the L2L tunnel; and any traffic bound for an Internet site is routed back to the "HomeOffice" and then hairpinned to the Internet. (inefficient, but it's a constraint we have to work with)
My question is this: Is it possible to create an Internet-facing SNAT address at HomeOffice that will map to an inside address of a host in the Remote site? Such that I could open (for e.g.,) an ssh port that would permit an inbound connection from the HomeOffice ASA all the way through the L2L tunnel to a host in the Remote office.
Currently I have a 'nonat' statement in place such that traffic between HomeOffice and Remote ASAs isn't translated at all; it's not clear from the documentation (or example configs) if I can
-create a SNAT that maps a Remote/inside host (192.168.1.1., say) to a HomeOffice/inside addresss (10.10.1.1) for the traffic passsing through then L2L tunnel and then,
-create an SNAT on the HomeOffice ASA that maps the 10.10.1.1 address to an internet facing address (such that I can then bind an ACL permitting inbound SSH traffic).
Thoughts? Thanks in advance -
--Neill
10-15-2010 04:08 PM
It took me a while to get my head around the requirement
Please let me know if my understanding is right:
- You would like to SSH to your Remote host from the Internet, via the LAN-to-LAN tunnel?
Assuming the above is correct, then I will further assume that your crypto ACL is as follows:
On HomeOffice: permit ip any
On Remote: permit ip
OK, let's assume the above crypto ACL is also correct, then you can possibly configure the following (I am still thinking out loud here, so pls correct me if my thought is wrong):
On HomeOffice:
static (outside,outside)
Sorry, just re-thinking again, static (outside,outside) will not work as it's destination NAT, not source NAT.
BTW, double NATing as per your suggestion will not work/not supported.
10-15-2010 04:49 PM
Please let me know if my understanding is right:
- You would like to SSH to your Remote host from the Internet, via the LAN-to-LAN tunnel?
You've got it exactly.
BTW, double NATing as per your suggestion will not work/not supported.
Ah - thanks for clarifying - that was in fact something I couldn't nail down in the documentation.
--Neill
10-15-2010 04:56 PM
Cheers, pls kindly mark it as answered if you have no further questions. Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: