I am working as Sr.Network Engineer and am maintaning all networks for my company. we have Site-to-Site vpn between HO and branch office.
We have Cisco-ASA 5520 firewall at HO and Cisco ASA-5510 firewall at branch end. we have three zones at branch office(Like Inside,managemnet and outside).
Site-to-Site vpn is working fine between HO lan to Branch managemnet zone.
Now we have one proxy server in inside network and want to access this via exisiting site-to-site vpn.We don't share or show any inside IP address into HO LAN.
Could you please help me how to implement this setup.
Mobile : +91 96557-77058
Thanks 'n Regards,
What do you mean by you don't share or show any inside IP address into HO LAN? Do you mean you do not want to use the inside IP address when connecting to HO LAN? OR/ currently it has not been configured, and you would like to know how the branch's inside network can access HO proxy server?
Please find the below mentioned IP address of Branch office.
Inside IP address : 172.16.10.0/24
Management IP address : 192.168.10.0/24
Outside IP address : X.Y.Z.2
We have So many Lan subnet in LAN.But VPN is between below subnet to branch's managemnet subnet.
Inside IP address : 10.43.11.0/0
Outside IP address :A.B.C.10
Now We have one proxy at Branch office(IP address 172.16.10.99). It should be accessible thorugh VPN tunnel using one Managemnet IP address.
Let us assume free IP address : 192.168.10.99 Which is in Managent Zone.
HO <====VPN Tunnel=====>BO--Inside(proxy server here).
Suppose remote admin he want to apply policy into BO's proxy mean,He will do take ssh and telnet 192.168.10.99. This traffic should to proxy server through existing VPN tunnel.
I hope, You understand my requirement.
Sorry, still understand the requirement. But thanks for the ip address, diagram and subnetting, it helps.
So my understanding is you would like to SSH and telnet, from source: 192.168.10.99, towards destination: proxy server: 172.16.10.99? Is this what you are trying to achieve? But those traffic is just within branch office.
What traffic do you require to traverse from head office to branch office and vice versa?
You would like 172.16.10.0/24 subnet (inside of branch office) to communicate with 10.43.11.0/0 subnet (inside of HQ office) and vice versa.
Is this what you are trying to achieve?
No, you would need to add the crypto ACL on both sides and create the corresponding NAT exemption, and clear the existing SAs once configuration has been added. It should only affect it for very short period time (a couple of seconds) when you clear the SAs.
No, there is no other way to implement the solution.
Here is a sample configuration for your reference:
Hope that helps.
I have tried with Static NAT but i could not succeed.Now what is happening, as below confiured static nat to management zone.
static (inside,mgmt) tcp 192.168.10.99 ssh 172.16.10 ssh netmask 255.255.255.255
static (inside,mgmt) tcp 192.168.10.99 3128 172.16.10 3128 netmask 255.255.255.255
static (inside,mgmt) tcp 192.168.10.99 7777 172.16.10 7777 netmask 255.255.255.255
static (inside,mgmt) tcp 192.168.10.99 8080 172.16.10 8080 netmask 255.255.255.255
access-list mgmt extended permit tcp any host 192.168.10.99 eq ssh
access-list mgmt extended permit icmp any any
access-list mgmt extended permit icmp any any echo
access-list mgmt extended permit icmp any any echo-reply
access-list mgmt extended permit icmp any any time-exceeded
access-list mgmt extended permit tcp any host 192.168.10.99 eq 3128
access-list mgmt extended permit tcp any host 192.168.10.99 eq 7777
access-group mgmt in interface mgmt
Let us assume, i am sitting on management zone at branch office. i could able to reach proxy sever (172.20.0.99) if i iniate traffic to IP 192.168.172.99.
For you clarification i have attached asa configuration also.
But i could not reach form HO through tunnel(Means from 10.43.11.0/24).
1) To access the proxy server from the management network, here is what needs to be configured if you do not want to translate the proxy server ip address:
static (inside,mgmt) 172.20.0.0 172.20.0.0 netmask 255.255.0.0
same-security-traffic permit inter-interface
And configure "mgmt" access-list to allow traffic towards the real ip address of proxy server (172.20.0.99).
Please also remove the static translation that you have configured if translation is not required for the proxy server.
2) To access the proxy server from the branch office, you would need to configure the following:
On the branch office:
access-list 100 extended permit ip 172.20.0.0 255.255.0.0 10.43.11.0 255.255.255.0
access-list nonat extended permit ip 172.20.0.0 255.255.0.0 10.43.11.0 255.255.255.0
On the HQ office:
Access-list for the crypto to branch office, you would need to add:
Access-list for NAT exemption, you would need to add: