02-22-2022 07:38 PM
Home lab setup is almost complete, thanks in large part to info that ive found on this forum. Many Thanks!
I have a 5505 sitting on my 192.168.1.0 home network. The 5505 is configured as a site to site VPN to azure.
home ISP (1.2.3.4) <- home router (192.168.1.0) <- 5505 ASA (outside = 192.168.1.138, inside = 10.200.200.1)
The Site to Site VPN is working flawlessly, however, the last step in my quest to be able to route from my mac on the 192.168.1.0 network directly to a host (eg 10.200.200.5) on the inside network of the ASA.
So two questions:
1) what do i have to configure on the ASA to accomplish this. My assumption is an access-list, but ive spent quite a bit of time researching this and solution eludes me.
2) What kind of route do i need to setup on the home router (192.168.1.1).. I assume is something like:
route 10.200.200.0/24 192.168.1.138
PS:
packet-tracer input outside icmp 192.168.1.123 0 0 10.200.200.5
yields:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 10.200.200.0 255.255.255.0 inside
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Best Regards!
02-23-2022 05:34 AM
Since there is NAT no need for route.
......200.5 static nat to outside ip,
Ping the outside ip not the ip behind the NAT becuase it hidden, that the job of NAT.
02-23-2022 06:16 AM
Humm.. I dont think the above will solve my problem. Here is complete config:
Azure S2S VPN (10.20.20.0) <-> (5.6.7.8) <---IPSec--<-v
home ISP (1.2.3.4) <- home router (192.168.1.0) <- 5505 ASA (outside = 192.168.1.138, inside = 10.200.200.1)
^
MyMac (192.168.1.102)
I want to be able to connect (from my mac - 192.168.1.102) directly to a host on the azure network (10.20.20.0) without having to be on the 10.200.200.0 network. A host that is sitting on the inside network of the 5505 can connect directly to a 10.20.20.0 address via the IPSec tunnel. My quest is to be able to make this same connection directly from the 192.168.1.0 network. To do this, i will somehow have to route to the inside network of the ASA and then have the ASA route them over the IPSec tunnel. The trick is that i dont want to have to be hooked up to the 10.200.200.0 network from my mac.
Thanks and Best Regards!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide