Hi all, I have an ASA with a WAN interface, inside interface, and an interface attached to a private T-1. I have multiple end points that must communicate from the inside interface to the T-1 via static 1-to-1 NATs but still be able to connect out the WAN interface with PAT. The WAN PAT works fine, but the 1-to-1 NATs aren't working. I have configured 1-to-1 NATs from the inside to t-1 interfaces (and vice versa) and allowed ip and icmp traffic through ACLs, but no traffic is flowing. I also added routes to the remote networks out the t-1 interface. I feel as if I am close but missing a step here. I don't know if it matters, but the NAT outside addresses do not exist in any network segment on my end and are different than the interface address; the router on the other end just has a static route to forward the outside network addresses to my t-1 interface. Any help is appreciated!
... View more
Hi all, I have two locations (Locations A and B) over which data is being pushed via a redundant (via HSRP) point-to-point IPSec tunneled microwave hop and an IPSec tunneled leased fiber run. At location A there are two WAN connections; one is to the Internet, and the other is a secure T1 that transmits sensitive data to a third party. Data from both of these WAN connections is being sent over the point-to-point microwave/fiber hops to Location B and then exiting out separate interfaces on the router. One interface takes the sensitive data only, and the other interface is to a corporate network with Internet access. Is there a potential security issue with having both the sensitive data from the secure T1 and the Internet data to the corporate network traveling over the same point-to-point network? There are substantial defense-in-depth security measures in Location B on the secure network, so I am not worried about the corporate traffic accidentally making it to the secure network. Also, at Location A there are substantial defense-in-depth security measures where the WANs come into our network, and the point-to-point microwave and fiber hops are internal. If someone on the Location B corporate network gets a compromised workstation, is there a potential of the point-to-point sensitive traffic being sniffed/modified/disrupted? If there is, is it possible to set up 2 point-to-point VLANs within the microwave and fiber hops and separate out the traffic from each WAN connection (eg. sensitive traffic from T1 uses VLAN 1 network, and Internet traffic uses VLAN 2 network), or will this just add confusion to EIGRP routing if I configure 2 point-to-point networks but restrict access to one from specific traffic? For instance, will EIGRP see 2 routes as up and available and use only 1 route to push all traffic across and not know that traffic from the Internet is being blocked and therefore never reaches its destination? I hope I have been somewhat clear with my description, and any help would be greatly appreciated.
... View more