We have a situation where an external vendor from an external IP sends print jobs to a printer on our internal network. We have an ACL and NAT rule in place for the existing printers and they work ok.
We have just brought a site up and they connect via ASA5505 over VPN to the corporate ASA5520. This remote site needs one of these printers that the external vendor sends print jobs too. I entered the ACL and NAT entries like the others (that currently work).
On the 5520 when the vendor sends a print job, i see a log that states "routing failed to locate next hop for TCP from outside (external ip of vendor) to inside (printer ip at the 5505 site).
on the outside interface there is the following permit acl - Source: (External IP of Vendor) Destination: (Internal IP of Printer on the ASA5505 side) with the ports they need open.
on the inside interface there is the following static nat - Source: (Internal IP of Printer on the ASA5505 side) Destination: outside interface to our External IP.
I can see the print job hit our ASA5520 but never makes it to the ASA5505 side.
Hope I explained it well.
I understand that the flow is:
Vendor over Intrnet
Printer ------ ASA 5505 ======IPsec VPN over Internet ---------------------ASA 5520
Vendor connect to 5520 and it should send traffic over VPN to 5505?
How did you do NAT on 5520 (static (outside,outside) ?) did you apply same-secrity permit inta?
Config from 5520 and (corrected?) topology digram would help ;-)
Vendor send print job to one of our external IP addresses. We have NAT setup to map our external IP given to vendor to the internal IP of printer.
Vendor - - ASA5520 - - IP SEC VPN over Internet - - ASA5505 - - Internal Printer
We have an ACL setup on the outside Interface of our ASA5520.
access-list OUTSIDE extended permit tcp object-group StateVR object-group VR_Printers_ref object-group VRPRN_PORT
The StateVR object group has the external ip of vendor (lets say 167.x.x.2 for one)
The VR_Printers_ref object group has the our external ip address (lets say 65.x.x.100 for one)
Then there is a Static NAT on the inside interface of ASA5520 with Source is Internal IP of our printer to Outside interface with Our external IP.
static (inside,outside) 65.x.x.100 172.30.2.25 netmask 255.255.255.255
Hope that helps.
do you mean that private ip address of the 172.30.x.x of the printer exists behind the asa 5505 that is connected to asa 5520 via ipsec ? and you are setting up the Static Nat for that ip add on ASA5520 ?
Well , Then that isn't possible as per my little Knowledge.
Here's the thing, when the vendor tries to reach that public IP on asa 5520 , the asa 5520 looks for route to the 172.30.x.x which is there but only for the Intersecting traffic defined in the crypto ACL's , even if we some how make this traffic reach the ASA 5505 by changing the crypto ACL's etc , when the 5505 will send traffic out it will have the PAT ip address of 5505 and the vendor machine will see a different source ip then destination and will drop traffic.
Best solution just set up nat on asa 5505 and let vendor connect to that IP.
Any expert with better solution please comment.
I would agree with Manish that perhaps the most scalabe solution would be to setup NAT on 5505.
That being said, on 5520 are we terminating IPsec on same interface we want to send traffic to vendor?
I was afraid of this.
What if we need 2 printers at the ASA5505 site. Will we need to get to external IPs from internet provider?
Thanks so much for all the helpful information.
I understand that for whatever reason you cannot use static PAT on 5505 (instead of using new IP addresses) ? Because it could be a "solution".
I'm attaching a diagram for this situation.
You want the vendor to connect to public IP on 5520, the 5520 would then U-Turn the traffic into the tunnel, forward it through the tunnel and then the 5505 sends it to the host.
The reply goes back to 5505, back via the tunnel from 5520 over the Internet?
I think it could be possible ... if this is what you want to accomplish.
Attached diagram of what I understand the situation is.
Wow, thanks so much for the diagram and information. I think we have determined it will just be easier (and maybe to only solution) to get 2 IPs from our DSL provider on the ASA5505 end. We will then do the NAT local to the ASA5505 and leave the ASA5520 out.
Yes that would be a much simples and less accident prone solution.
Unless the vendor requires it, you don't have to use separate IP addresses, you can use static PAT to use different port number on your external IP to map them to same port on different devices.