Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
5
Replies

natting a remote ip address on asa5505

Roberto Kippins
Level 1
Level 1

‎12-06-2013 05:53 PM

Untitled.jpg

Labels:
0 Helpful
5 Replies 5

Roberto Kippins
Level 1
Level 1

‎12-06-2013 06:05 PM

Hi I created a sample network above to describe my situstion okay I have a main site in southamerica and a remote site in miami which is connected via ipsec vpn both sites are terminated with asa 5505  and then we have a customer that is connected to the remote site in miami and we are connected to the customer through the miami vpn connection at the customer site they have  quite a few citrix servers  that we access at the main site we have about 200+ workers at the main site accessing these citrix servers via a single ip address in the web browser and the applications work just fine the problem is we deployed a gfi web proxy to save bandwidth and it works well but when we open the citrix applications they are all running through the proxy and then back to the firewall then to the vpn and this causes huge problems when we have all workers connected  but how the proxy works if i try to browse web pages on the local intranet it does not pass through the proxy so i was wondering if i do  a nat config on the firerwall to map an inside ipaddress to the remote citrix server web interface this will prevent the citrix traffic from passing through the proxy

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Roberto Kippins

‎12-07-2013 05:57 AM

Hi,

So if I understood you correctly, you want to map an IP address located at Miami Customer site to an IP address thats part of the South America Sites local network to bypass the GFI Web Monitor?

If what I described above is the situation then could you please let us know what software you are running on the ASAs? Do you have access to all of the firewall/VPN devices in the picture or is the Miami Customer device under their management only?

- Jouni

0 Helpful

Roberto Kippins
Level 1
Level 1
In response to Jouni Forss

‎12-07-2013 06:44 AM

Hey yes you are correct, we are using the latest asa ios which i think is 9.0.4 and the asa at the miami customer site is under their management

0 Helpful

Roberto Kippins
Level 1
Level 1
In response to Roberto Kippins

‎12-07-2013 06:47 AM

i saw someone did a similar config on a cisco router with nat where they mapped an unused local ip address to an actual ip address of a server on the internet and i worked but not sure if it can be done with asa's if not ill just take down the proxy for the time.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Roberto Kippins

‎12-07-2013 06:50 AM

Hi,

So if the aim is to NAT the actual destination IP address located at Miami Customer Site to an IP address located at South America Site then I think the configuration should look something like this

object network SA-LAN

subnet 192.168.10.0 255.255.255.0

object network SA-DEST-NAT

host 192.168.10.254

object network SA-DEST-REAL

host 10.10.10.10

nat (inside,outside) 1 source static LAN LAN destination static SA-DEST-NAT SA-DEST-REAL

The above presumes that the South America Site LAN network  is 192.168.10.0/24 and the chosen NAT IP address for the destination is 192.168.10.254 from that network. The Miami Customer Site is presumed to be 10.10.10.0/24 and the actual destination address there to be 10.10.10.10

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents