Hi,
I'm trying to configure routing of traffic received through a VPN tunnel over a link to a third-party network on my ASA 5520 running software version 8.4. I'm not very familiar with Cisco router/firewall configuration though I'm fairly comfortable with general networking concepts so I'd really appreciate any help in steering me in the right direction.
The setup pictured in the attached diagram and the key networks involved are:
- Local hosts network - 10.127.0.0/16
- Remote hosts network - 10.126.0.0/16
- 3rd party router subnet - 10.1.254.0/29
- 3rd party remote public network - 1.2.3.0/24 (real IPs redacted)
The setup has the objective of routing traffic between 2 hosts on the 10.126.0.0/16 network (10.126.12.2 and 10.126.12.3) and the partner's network of public IPs, but requiring that the traffic is first NATed to specific IPs in the 10.1.254.0/29 network (10.1.254.3 and 10.1.254.4 respectively) before being sent to the partner router via a static route on the ASA.
Additional background information:
This setup used to work with 2 hosts in the local network (10.127.2.68 and 10.127.2.69) but this now needs to be migrated to the remote hosts in AWS. I have already attempted simply replacing those hosts with the equivalent aws hosts in the NAT rules and ACLs but this doesn't appear to be working.
Currently Setup:
- The IPSEC VPN is working and traffic is successfully passing between the inside interface on the ASA and the AWS subnet
- The ASA has a route directing all traffic bound for the partner's public IPs to use the partner router as next hop
- The partner is sending traffic bound for the hosts in AWS towards the 10.1.254.3 and 10.1.254.4 IPs and the ASA is performing proxy arp for both of these IPs
- There are NAT rules in place to translate the remote aws hosts to the NATed IPs
Not working:
- Traffic is not currently making it all the way from the AWS subnet to the partner network or vice versa
Please could anyone assist in guiding me on what NAT rules should actually be setup, on which interfaces and which ACLs might be required as well in order to achieve the objective?
I have tried to provide as much information as I believe is relevant but if due to my Cisco ignorance I have left anything out, please let me know and I will do my best to provide it.
Thanks!