Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

natting a remote ip address on asa5505

Untitled.jpg

5 REPLIES
Community Member

natting a remote ip address on asa5505

Hi I created a sample network above to describe my situstion okay I have a main site in southamerica and a remote site in miami which is connected via ipsec vpn both sites are terminated with asa 5505  and then we have a customer that is connected to the remote site in miami and we are connected to the customer through the miami vpn connection at the customer site they have  quite a few citrix servers  that we access at the main site we have about 200+ workers at the main site accessing these citrix servers via a single ip address in the web browser and the applications work just fine the problem is we deployed a gfi web proxy to save bandwidth and it works well but when we open the citrix applications they are all running through the proxy and then back to the firewall then to the vpn and this causes huge problems when we have all workers connected  but how the proxy works if i try to browse web pages on the local intranet it does not pass through the proxy so i was wondering if i do  a nat config on the firerwall to map an inside ipaddress to the remote citrix server web interface this will prevent the citrix traffic from passing through the proxy

Super Bronze

natting a remote ip address on asa5505

Hi,

So if I understood you correctly, you want to map an IP address located at Miami Customer site to an IP address thats part of the South America Sites local network to bypass the GFI Web Monitor?

If what I described above is the situation then could you please let us know what software you are running on the ASAs? Do you have access to all of the firewall/VPN devices in the picture or is the Miami Customer device under their management only?

- Jouni

Community Member

natting a remote ip address on asa5505

Hey yes you are correct, we are using the latest asa ios which i think is 9.0.4 and the asa at the miami customer site is under their management

Community Member

natting a remote ip address on asa5505

i saw someone did a similar config on a cisco router with nat where they mapped an unused local ip address to an actual ip address of a server on the internet and i worked but not sure if it can be done with asa's if not ill just take down the proxy for the time.

Super Bronze

natting a remote ip address on asa5505

Hi,

So if the aim is to NAT the actual destination IP address located at Miami Customer Site to an IP address located at South America Site then I think the configuration should look something like this

object network SA-LAN

subnet 192.168.10.0 255.255.255.0

object network SA-DEST-NAT

host 192.168.10.254

object network SA-DEST-REAL

host 10.10.10.10

nat (inside,outside) 1 source static LAN LAN destination static SA-DEST-NAT SA-DEST-REAL

The above presumes that the South America Site LAN network  is 192.168.10.0/24 and the chosen NAT IP address for the destination is 192.168.10.254 from that network. The Miami Customer Site is presumed to be 10.10.10.0/24 and the actual destination address there to be 10.10.10.10

- Jouni

266
Views
0
Helpful
5
Replies
CreatePlease to create content