Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
613
Views
0
Helpful
3
Replies

L2L ipsec tunnel (with hairpin) config question - inbound external access to host in remote 'spoke'

neillcallis
Level 1
Level 1

‎10-15-2010 03:49 PM - edited ‎02-21-2020 04:54 PM

Hi - L2L Ipsec config question:

I have a working L2L IPSec tunnel between two sites "HomeOffice" and "Remote" (identical Cisco 5505 ASAs). Due to security considerations at the Remote site (co-located at a customer facility), *all* non-local traffic at the Remote site is constrained within the L2L tunnel; and any traffic bound for an Internet site is routed back to the "HomeOffice" and then hairpinned to the Internet.  (inefficient, but it's a constraint we have to work with)

My question is this:   Is it possible to create an Internet-facing SNAT address at HomeOffice that will map to an inside address of a host in the Remote site?  Such that I could open (for e.g.,) an ssh port that would permit an inbound connection from the HomeOffice ASA all the way through the L2L tunnel to a host in the Remote office.

Currently I have a 'nonat' statement in place such that traffic between HomeOffice and Remote ASAs isn't translated at all; it's not clear from the documentation (or example configs) if I can

-create a SNAT that maps a Remote/inside host (192.168.1.1., say) to a HomeOffice/inside addresss (10.10.1.1) for the traffic passsing through then L2L tunnel and then,

-create an SNAT on the HomeOffice ASA that maps the 10.10.1.1 address to an internet facing address (such that I can then bind an ACL permitting inbound SSH traffic).

Thoughts?  Thanks in advance -

--Neill

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-15-2010 04:08 PM

It took me a while to get my head around the requirement

Please let me know if my understanding is right:

- You would like to SSH to your Remote host from the Internet, via the LAN-to-LAN tunnel?

Assuming the above is correct, then I will further assume that your crypto ACL is as follows:

On HomeOffice: permit ip any

On Remote: permit ip any

OK, let's assume the above crypto ACL is also correct, then you can possibly configure the following (I am still thinking out loud here, so pls correct me if my thought is wrong):

On HomeOffice:

static (outside,outside) <192.168.1.1> netmask 255.255.255.255


Sorry, just re-thinking again, static (outside,outside) will not work as it's destination NAT, not source NAT.

BTW, double NATing as per your suggestion will not work/not supported.

0 Helpful

neillcallis
Level 1
Level 1
In response to Jennifer Halim

‎10-15-2010 04:49 PM 

Please let me know if my understanding is right:
- You would 
like to SSH to your Remote host from the Internet, via the LAN-to-LAN 
tunnel?

You've got it exactly. 

BTW, double NATing as per your suggestion will not work/not supported.

Ah - thanks for clarifying - that was in fact something I couldn't nail down in the documentation.

--Neill

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to neillcallis

‎10-15-2010 04:56 PM

Cheers, pls kindly mark it as answered if you have no further questions. Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents