routing through a public ip subnet

Vijendra Ramdoo · ‎02-07-2014

Hello,

I have the folowing scenario on which I would like to have you insights..

Incoming traffic:

VPN traffic comes in through the VPN router
6 usable public IPs per IPoSHDSL line. Each a different subnet.
Mail traffic comes in through the mail router. A NAT is being done on the ASA for the public IP of the mail router to the private IP of the mail server
Web traffic comes in through the web router . NAT being done on the ASA for the public IP of the web router to the private IP of web server

Outgoing traffic:

Outgoing through PBR
All traffic sent to VPN router through default route.
VPN router sends traffic by checking policy maps.
VPN traffic goes out correctly from the VPN router in this scenario
Web traffic is stateful so no issue

The problem I am having is that the network/subnet between the ASA and the routers (coloured lines) use the public IP addresses of the VPN router.

Hence the outgoing traffic from ASA to the mail router is getting lost in the middle.

Can anyone share their opinion on this? How can I make the outgoing emails go through?

Thanks

V

Jon Marshall · ‎02-07-2014

V

You said you were using PBR on the VPN router so i would have though the return mail traffic gets to the VPN router (because that is the default route on the ASA) and then you use PBR to send it back to the mail router.

Is this not happening ?

Jon

Vijendra Ramdoo · ‎02-07-2014

Hello Jon,

Thanks for your answer.

All the routers have LAN interfaces configured in the public ip subnet of the VPN router.

The incoming mails are hitting the mail router and are correctly directed in (NATed on ASA).

I believe that the outgoing mails are being routed to the VPN router (default route), but there, since the LAN interface of the mail router is in the public IP range of the VPN router, the traffic is getting lost. Result = no outgoing mail.

On the other hand the PBR is working fine for the internet (outgoing requests)

Incoming requests to the web server are also OK. I think these are stateful and ASA knows where to return HTTP/HTTPS requests.

I do not know if I am explaining well ...

This is a last resort scenario. In fact, I tried to put the VPN router on another interface on the firewall. Since the default route of the ASA was then the mail router, VPN traffic would come in through the VPN router but try to return out the mail router.

A default route with the "tunneled" keyword out the VPN router only for VPN traffic did also not help.

Which of the two scenarios is feasible according to you?

Thanks lots

Vijen

Jon Marshall · ‎02-07-2014

Vijen

I believe that the outgoing mails are being routed to the VPN router (default route), but there, since the LAN interface of the mail router is in the public IP range of the VPN router, the traffic is getting lost. Result = no outgoing mail.

Perhaps some IP addressing would help but i don't see how the above is a problem ie.

1) the mail server private IP address when going to the internet is changed to a public IP.

2) on the VPN router you use PBR to match that public IP as the source IP in an acl and redirect it to the mail router ie. back out of the same interface.

Whether the VPN router will do this ie. redirect back out of the same interface is not definite ie. i have seen it work and also not work.

Jon

Vijendra Ramdoo · ‎02-07-2014

Jon

Thanks for your help. So the fact that the LAN interfaces of the routers is public should not be a problem. Hummm

I will hence re-check the configuration on client's site and update this thread.

I was worried that the return traffic was being lost in the other pulic IP range since ...errr... it's plublic

Regarding the other scenario where the "tunnelled" keyword is used for another default route to the VPN router (which is on a separate interface on the ASA).

Do you think that's plausible?

Cordially,

Vijen