Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
154
Views
0
Helpful
1
Replies

IP Redirection

guliana27
Level 1
Level 1

‎05-07-2014 06:45 AM - edited ‎03-04-2019 10:56 PM

Hi All,

My environment is as follows:

I have a server located behind an ASA appliance (ASA1), which is the only machine located behind the firewall.

The ASA1 has a static public IP assigned to its outside interface (IP1).

I connect to the server for maintenance through a site to site VPN connection , while there are several external devices (on the internet) that store data on the server connecting through openvpn. Those devices point to openvpn.example.com in order to establish their connectivity to the server (there is a public DNS entry for openvpn.example.com = IP1)

I will need to move the server to a datacenter where a different provider will supply the connectivity and a pool of public IPs.

My idea is to install a second ASA in the datacenter, assign a public IP to its outside interface (IP2), configure a new site to site VPN for maintenance and change the current DNS configuration for openvpn.example.com from IP1 to IP2.

Unfortunately I don't have control over the TTL for the public DNS (which is managed by my current ISP) and I cannot afford all devices that point to openvp.example.com to lose connection for 24 hours or more so once the server is moved to the new location. I was wondering, if there is a way I can configure ASA1 to redirect all packets destined to its IP1 automatically to IP2, at least until the DNS transition is completed.

Thanks in advance 

Labels:
0 Helpful
1 Reply 1

Vasilii Mikhailovskii
Level 7
Level 7

‎05-08-2014 12:03 AM

Hello.

I would suggest to configure IPSec tunnel between 2 ASAs and on old one to configure twice NAT for openvpn inbound connections.

Destination would be translated anyway, as you run private IP-addresses on the LAN; source IP-addresses must be translated, so you could easily route traffic via correct WAN link.

PS: you might also configure twice NAT without IPSec, but I don't think it's a good idea.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card