topic Publish a server on an ASA, the server is at a remote location. in Network Security

Publish a server on an ASA, the server is at a remote location.

timothy.lewis — Mon, 11 Mar 2019 21:07:02 GMT

I have the following situation:

We are moving to another datacenter. Our public IP address is going to change. We have software that is dependent on a hard coded IP address (I know). The idea is that until we are able to complete the move and update the software (for an FQDN hopefully) I need be able to have users hit the old public IP addresses at the old datacenter and have it forward to the server at the new datacenter.

We have two Cisco ASA 5510s at the old datacenter. The idea was to set up a VPN tunnel between the two datacenters. Leave the existing ACL allowing the traffic to the server intact, then change the statc NAT rule to just forward to the host on the other side of the VPN tunnel. This did not work however. I also set up a static route for that server to the remote VPN peer.

I also have a pair of ISR 1841s with advanced security that are not in use at the moment.

Publish a server on an ASA, the server is at a remote location.

Jon Marshall — Wed, 03 Aug 2011 11:41:15 GMT

Timothy

Does the connection have to VPNd ?

If so what interface does the packet arrive on and what interface are you doing the VPN tunnel from ?

Jon

Publish a server on an ASA, the server is at a remote location.

timothy.lewis — Wed, 03 Aug 2011 11:54:28 GMT

I'm not really married to the VPN. If we can make traffic destined for site 1's ASA public IP be forwarded to site 2's ASA public IP that will work too.

My initial thought was to do LAN-to-LAN VPN between the ASAs with VPN peers being the outside interface and the packet arriving on the outside interface.

Publish a server on an ASA, the server is at a remote location.

Jon Marshall — Wed, 03 Aug 2011 12:00:46 GMT

Timothy

This should be doable with our without a VPN although it does depend on your ASA code version ie. until 7.2 you could only send traffic back out of the same interface it arrived on with VPN traffic but since then the restriction has been lifted.

You need to enable "same-security-traffic permit intra-interface" on your ASA firewall which will allow traffic to be routed back out on the same interface.

Jon

Publish a server on an ASA, the server is at a remote location.

timothy.lewis — Wed, 03 Aug 2011 19:14:49 GMT

OK. I can add that setting, but how do I configure it to redirect?

Publish a server on an ASA, the server is at a remote location.

Jon Marshall — Wed, 03 Aug 2011 20:34:11 GMT

Timothy

If there is default-route pointing out of the outside interface then you shouldn't neede to add a route because it will by default be routed back out of the same interface.

Jon

Publish a server on an ASA, the server is at a remote location.

timothy.lewis — Fri, 05 Aug 2011 00:12:46 GMT

Right I get that part, but it does not fit my scenario. Let me go into the more detail.

I currently have rack space at two datacenters that are not connected in any way. At both I have ASA 5510s. At datacenter A, my ASA has a public IP address of 1.1.1.1. At datacenter B my ASA has a public IP address of 2.2.2.2. Currently, my application server is at datacenter A and published on 1.1.1.1.

We are moving everything to datacenter B except for one ASA until our move is complete.

The challenge is that the application client our customers use connects to the server on 1.1.1.1. In the software the IP address is hard-coded, and there are thousands of these clients floating around out there and it will take weeks to get them all pointing to a new address (hopefully an FQDN).

What I need is for clients to try to access 1.1.1.1, from whatever their IP address is and be redirected to the server that is at a completely different location.

Initially I thought I was set up a LAN to LAN VPN between the ASAs. Then do and ACL and a static (inside,outside) 1.1.1.1 . That does not appear to work.

Publish a server on an ASA, the server is at a remote location.

timothy.lewis — Sat, 06 Aug 2011 18:05:36 GMT

What about if I NAT the traffic on ASA before it encrypts?

Something like:

access-list NAT1 ext permit ip any 192.168.0.0 255.255.0.0

static (inside,outside) 172.16.0.0 access-list NAT1

access-list VPN ext permit 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0

Publish a server on an ASA, the server is at a remote location.

timothy.lewis — Sat, 06 Aug 2011 18:45:07 GMT

I tried this type of a set up and ran packet-tracert against it. Here is the packet-tracert output:

packet-tracer input WAN tcp 2.2.2.2 3389 1.1.1.1 3389 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd4cc17e0, priority=1, domain=permit, deny=false
        hits=46650444, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,WAN) tcp 1.1.1.1 3389 172.16.0.229 3389 netmask 255.255.255.255
match tcp inside host 172.16.0.229 eq 3389 WAN any
static translation to 1.1.1.1/3389
translate_hits = 0, untranslate_hits = 5
Additional Information:
NAT divert to egress interface inside
Untranslate 1.1.1.1/3389 to 172.16.0.229/3389 using netmask 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN-IN in interface WAN
access-list WAN-IN extended permit tcp any host 1.1.1.1 eq 3389
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8a8c6b0, priority=12, domain=permit, deny=false
        hits=4, user_data=0xd8000b18, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=1.1.1.1, mask=255.255.255.255, port=3389, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd82833e0, priority=0, domain=permit-ip-option, deny=true
        hits=2736279, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd3dcf6d8, priority=20, domain=lu, deny=false
        hits=17487, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8faa508, priority=12, domain=ipsec-tunnel-flow, deny=true
        hits=5161, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,WAN) tcp 1.1.1.1 3389 172.16.0.229 3389 netmask 255.255.255.255
match tcp inside host 172.16.0.229 eq 3389 WAN any
    static translation to 1.1.1.1/3389
    translate_hits = 0, untranslate_hits = 5
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd8d8dfc8, priority=5, domain=nat-reverse, deny=false
        hits=4, user_data=0xd8d52478, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=172.16.0.229, mask=255.255.255.255, port=3389, dscp=0x0

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,WAN) tcp 1.1.1.1 3389 172.16.0.229 3389 netmask 255.255.255.255
match tcp inside host 172.16.0.229 eq 3389 WAN any
    static translation to 1.1.1.1/3389
    translate_hits = 0, untranslate_hits = 5
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd8aa7500, priority=5, domain=host, deny=false
        hits=9, user_data=0xd8d52478, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=172.16.0.229, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd4d04070, priority=0, domain=permit-ip-option, deny=true
        hits=20791272, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 21234085, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Result:
input-interface: WAN
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency