05-03-2017 05:41 PM
Hi Experts,
We are in the process of migrating from a Solarwinds on a windows OS monitoring system to Linux based one. this system is monitoring a number of device on a remote site over VPN that we dont have control of the far end VPN peer.
It was easy to just use the IP address of the old Windows Box and use it on the new Linux Box. however we still need RDP access to the remote devices it was monitoring. The tunnel is configured as a host only source for the monitoring server to the remote subnet. My question is how can make this work thru NAT since we don't control the VPN peer on the far end to add another IP in the encryption domain.
ASA 5545 version 9.4(2)6
encryptionacl looks like this:
access-list monitoring extended permit IP host 10.1.1.10 192.168.1.0 255.255.255.0
so basically the old monitoring server is 10.1.1.10 we gave that IP to the Linux server, and give the old monitoring server IP 10.1.1.20
I applied a dynamic nat:
nat (inside,outside) 123 source dynamic obj-10.1.1.20 obj-10.1.1.10 destination static Remote-Subnet
with that NAT, I am able to reach from 10.1.1.10 and 10.1.1.20 the remote subnet, However my SNMP traps from the remote network are not arriving on the actual 10.1.1.10 Linux server. The traffic sourced from the remote network are not getting to the actual 10.1.1.10 device.
Solved! Go to Solution.
05-05-2017 08:32 AM
Hi Robert,
You are trying manual NAT for this 10.1.1.20 IP which is the most preferable. Try the following statements:-
nat (inside,outside) 10 source dynamic obj-10.1.1.10 obj-10.1.1.10 destination static Remote-Subnet Remote-Subnet
nat after-auto 123 source dynamic obj-10.1.1.20 obj-10.1.1.10 destination static Remote-Subnet Remote-Subnet
Please rate if this is helpful.
05-05-2017 08:32 AM
Hi Robert,
You are trying manual NAT for this 10.1.1.20 IP which is the most preferable. Try the following statements:-
nat (inside,outside) 10 source dynamic obj-10.1.1.10 obj-10.1.1.10 destination static Remote-Subnet Remote-Subnet
nat after-auto 123 source dynamic obj-10.1.1.20 obj-10.1.1.10 destination static Remote-Subnet Remote-Subnet
Please rate if this is helpful.
05-05-2017 06:23 PM
Thank you Sing!
It worked, though i had to use static source on the line translating 10.1.1.10 for me to be able to receive the traps sent from the remote network. And for some reason ping is not working for 10.1.1.20 but im able to RDP to the remote devices from 10.1.1.20. Ping only works if sourced from 10.1.1.10.
Command used as ASDM entered.
nat (inside,outside) 123 source static obj-10.1.1.10 obj-10.1.1.10 destination static Remote-Subnet Remtoe-Subnet
nat (inside,outside) after-auto 10 source dynamic obj-10.1.1.20 obj-10.1.1.10 destination static Remote-Subnet Remtoe-Subnet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide