Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1261
Views
0
Helpful
4
Replies

Spoke & Hub topology: Can I Route Internet traffic from a PC at a Spoke site thru the tunnel and NAT it out to the world on the Hub's 5520?

Go to solution
CWF Netman
Level 1
Level 1

‎11-11-2010 03:15 PM

I don't know if this is can be made to work or not, or if it's a mutually excluded NAT configuration that's not possible, but I have an ASA 5520 at my central office site with a 20Mbps fiberoptic Internet feed, and two remote offices with ASA 5505 units connected by DSL or cablemodem, and have finally gotten Site-to-Site "spoke" VPN tunnels up and running with the ability to route Spoke-to-Spoke traffic thru a "hairpin turn" on the Hub Site's 5520.

I have workstation PCs at each of the remote office spoke sites A & B that need to communicate directly with each other to support a small workgroup-style of point-of-sale software that's actually hosted on a PC at remote site A.

PCs at both remote sites also need to be able to communicate with a credit card processing service over the public Internet, and I wish to have the ASA 5505 units at each remote office block all traffic directly NAT'ed from each PC on the respective local LANs from going straight out to the internet over each site's cablemodem or DSL modem. I want to force those PCs to have to NAT their Internet-destined traffic back thru the ASA 5520 located at the home office, over the VPN tunnels. In other words, I want the cablemodem and DSL connections to carry strictly VPN-encrypted traffic back to the home office, and not also behave as NAT routers for the local PCs there.

I can kill the 5505's from doing NAT for the PCs at the remote offices by simply removing the factory default dynamic NAT rule for "any", but then I cannot figure out how to get my central 5520 to perform the NAT which the remote office PC's need  to talk to their credit card processor service over the Internet without breaking the "NAT-exempt" configs needed for the spoke-to-spoke VPN traffic to work. If I try to put a static or dynamic NAT entry for a remote office PC on my central ASA 5520, it breaks the VPN tunnel for that particular PC.

Is what I wish to accomplish even possible with the ASA's? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
praprama
Cisco Employee
Cisco Employee

‎11-12-2010 07:35 AM

Hi Neal,

Yes this is absolutely possible!! below is a lost of things you will need to do:

1) Make sure on both the ASA 5505s, you send ALL traffic from local LAN through the VPN.

2) As Andrew mentioned, have the command "same-security-traffic permit intra-interface" on the ASA 5520.

3) You do not need to have a proxy server configured though that also is a good solution. But to get it working without it, assuming the remote ASA 5505 subnets are 192.168.1.0/24 and 192.168.2.0/24, add the below config lines to the ASA 5520:

nat (outside) 1 192.168.1.0 255.255.255.0

nat (outside) 1 192.168.2.0 255.255.255.0

global (outside) 1 interface

Please note that the id 1 and the interface can be replaced according to the config you already have in place in the ASA 5520.

I am not sure what kind of NAT exemptions are causing issues for you but if you can post a sanitized config from one of your ASA 5505 and the ASA 5520, i can make suggestions regarding the exact config.

Let me know if this helps!!

Thanks and regards,

Prapanch

View solution in original post

0 Helpful
4 Replies 4

Go to solution
andrew.prince
Level 10
Level 10

‎11-12-2010 03:35 AM

Simply put - yes this is possible, a couple of simple ways:-

1) install a proxy server at the HUB site, configure the PC browesers to use the proxy

2) Encrypt ALL traffic not local to the remote sites, to be sent to the Hub.  Then allow "same securituy-interface traffic"

You will need to pay special attention to:-

1) IP routes

2) NAT ( pay BIG attention to this)

HTH>

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee

‎11-12-2010 07:35 AM

Hi Neal,

Yes this is absolutely possible!! below is a lost of things you will need to do:

1) Make sure on both the ASA 5505s, you send ALL traffic from local LAN through the VPN.

2) As Andrew mentioned, have the command "same-security-traffic permit intra-interface" on the ASA 5520.

3) You do not need to have a proxy server configured though that also is a good solution. But to get it working without it, assuming the remote ASA 5505 subnets are 192.168.1.0/24 and 192.168.2.0/24, add the below config lines to the ASA 5520:

nat (outside) 1 192.168.1.0 255.255.255.0

nat (outside) 1 192.168.2.0 255.255.255.0

global (outside) 1 interface

Please note that the id 1 and the interface can be replaced according to the config you already have in place in the ASA 5520.

I am not sure what kind of NAT exemptions are causing issues for you but if you can post a sanitized config from one of your ASA 5505 and the ASA 5520, i can make suggestions regarding the exact config.

Let me know if this helps!!

Thanks and regards,

Prapanch

0 Helpful

Go to solution
CWF Netman
Level 1
Level 1
In response to praprama

‎11-12-2010 12:49 PM

Finally got it working.

I had to first add a destination "any" to the cryptomap acls on the 5505's  and then add explicit inside and outside incoming rules to the firewall access rules on the 5520 for the remote site PCs and the credit card server out on the Internet.

The credit card software is not proxy-aware (it ain't browser-based) so a proxy does no good for that.

My 5520's config file is HUGE and it would take a very long time to make a sanitized copy, so I have to decline that,

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to CWF Netman

‎11-12-2010 07:12 PM

Hi Neal,

Glad to know it worked!

Cheers,

Prapanch

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents