Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IP Redirection

Hi All,

My environment is as follows:

I have a server located behind an ASA appliance (ASA1), which is the only machine located behind the firewall.

The ASA1 has a static public IP assigned to its outside interface (IP1).

I connect to the server for maintenance through a site to site VPN connection , while there are several external devices (on the internet) that store data on the server connecting through openvpn. Those devices point to openvpn.example.com in order to establish their connectivity to the server (there is a public DNS entry for openvpn.example.com = IP1)

I will need to move the server to a datacenter where a different provider will supply the connectivity and a pool of public IPs.

My idea is to install a second ASA in the datacenter, assign a public IP to its outside interface (IP2), configure a new site to site VPN for maintenance and change the current DNS configuration for openvpn.example.com from IP1 to IP2.

Unfortunately I don't have control over the TTL for the public DNS (which is managed by my current ISP) and I cannot afford all devices that point to openvp.example.com to lose connection for 24 hours or more so once the server is moved to the new location. I was wondering, if there is a way I can configure ASA1 to redirect all packets destined to its IP1 automatically to IP2, at least until the DNS transition is completed.

Thanks in advance 

1 REPLY

Hello.I would suggest to

Hello.

I would suggest to configure IPSec tunnel between 2 ASAs and on old one to configure twice NAT for openvpn inbound connections.

Destination would be translated anyway, as you run private IP-addresses on the LAN; source IP-addresses must be translated, so you could easily route traffic via correct WAN link.

PS: you might also configure twice NAT without IPSec, but I don't think it's a good idea.

28
Views
0
Helpful
1
Replies