Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
649
Views
10
Helpful
2
Replies

Internal routing in double NAT'ed environment

darrell3001
Level 1
Level 1

‎02-22-2022 07:38 PM

Home lab setup is almost complete, thanks in large part to info that ive found on this forum. Many Thanks!

 

I have a 5505 sitting on my 192.168.1.0 home network. The 5505 is configured as a site to site VPN to azure.

 

home ISP (1.2.3.4) <- home router (192.168.1.0) <- 5505 ASA (outside = 192.168.1.138, inside = 10.200.200.1)

 

The Site to Site VPN is working flawlessly, however, the last step in my quest to be able to route from my mac on the 192.168.1.0 network directly to a host (eg 10.200.200.5) on the inside network of the ASA. 

 

So two questions:

1) what do i have to configure on the ASA to accomplish this. My assumption is an access-list, but ive spent quite a bit of time researching this and solution eludes me. 

 

2) What kind of route do i need to setup on the home router (192.168.1.1).. I assume is something like:

route 10.200.200.0/24 192.168.1.138

 

PS: 

packet-tracer input outside icmp 192.168.1.123 0 0 10.200.200.5 

yields:

 

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

in   10.200.200.0    255.255.255.0   inside

 

Phase: 2

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 3

Type: ACCESS-LIST

Subtype: 

Result: DROP

Config:

Implicit Rule

Additional Information:

 

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop  

Drop-reason: (acl-drop) Flow is denied by configured rule

 

Best Regards!

2 Replies 2

MHM Cisco World
VIP
VIP

‎02-23-2022 05:34 AM

Since there is NAT no need for route.

......200.5 static nat to outside ip,

Ping the outside ip not the ip behind the NAT becuase it hidden, that the job of NAT.

0 Helpful

darrell3001
Level 1
Level 1

‎02-23-2022 06:16 AM

Humm.. I dont think the above will solve my problem. Here is complete config:

 

Azure S2S VPN (10.20.20.0) <-> (5.6.7.8) <---IPSec--<-v

home ISP (1.2.3.4) <- home router (192.168.1.0) <- 5505 ASA (outside = 192.168.1.138, inside = 10.200.200.1)

                                                              ^

                                                          MyMac (192.168.1.102)

 

 

I want to be able to connect (from my mac - 192.168.1.102) directly to a host on the azure network (10.20.20.0) without having to be on the 10.200.200.0 network. A host that is sitting on the inside network of the 5505 can connect directly to a 10.20.20.0 address via the IPSec tunnel. My quest is to be able to make this same connection directly from the 192.168.1.0 network. To do this, i will somehow have to route to the inside network of the ASA and then have the ASA route them over the IPSec tunnel. The trick is that i dont want to have to be hooked up to the 10.200.200.0 network from my mac. 

 

Thanks and Best Regards!

 

 

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card