12-11-2013 06:47 PM
Hi,
I have a tunnel between our office and colation facility. All external http/s traffic enters the firewall in our office. I need to redirect http traffic entering the outside of the office ASA to the webserver located in the colo over the existing tunnel. Any help is appreciated. I am running 8.2(2) code.
Thanks,
Bill
12-12-2013 01:33 AM
Hi,
So you want to host a Web server running at a remote location through the main site using an existing L2L VPN connection?
I would imagne the first thing you need is to configure Static NAT or Static PAT for your remote locations server. You should also confirm that you have the setting that enables Hairpinning / U-turn on the "outside" interface.
same-security-traffic permit intra-interface
static (outside,outside)
static (outside,outside) tcp
static (outside,outside) tcp
The above options would do a Static NAT or Static PAT for the server located behind the L2L VPN connection
I am not sure are you planning to use the "outside" interface IP address with Static PAT (Port Forward) or Static NAT with a public IP address that will be dedicated for this server. You should take into consideration that if you use the ASA interface public IP address then the ASA by default uses the port TCP/443 for SSL VPN and ASDM management.
You would also require a Dynamic Policy PAT configuration. You should PAT all the traffic coming from the Internet to a single IP Address before it heads through the L2L VPN so that you wont have to forward all of the servers external traffic through the L2L VPN. The IP address to which you PAT the traffic coming from the Internet could be an IP address configured on the L2L VPN already. For example an unused local IP address from the main sites LAN network that currently uses the L2L VPN
access-list REMOTE-WEB-POLICYPAT remark Dynamic Policy PAT for remote Web server
access-list REMOTE-WEB-POLICYPAT permit tcp any host
access-list REMOTE-WEB-POLICYPAT permit tcp any host
nat (outside) 200 access-list REMOTE-WEB-POLICYPAT
global (outside) 200
The above NAT configuration would do Dynamic PAT for all the Internet source addresses that were contacting the NAT IP address we previously configured for the remote server.
To my understanding the above is the basic things needed to achieve this. One main thing is to remember that after the source address has been translated (Dynamic Policy PAT) and the destination address has been untranslated (Static NAT or Static PAT) , they have to match the current L2L VPN Encryption domain. So make sure the L2L VPN configurations allow for this traffic to be tunneled.
Some naturally depends on your current setup/configuration which we dont know
- Jouni
04-05-2014 04:35 PM
Hi Jouni,
I created the attached configuration plan based on your config details and some other documentation I pulled from the web.
Can you please take a brief look at my configuration details and see if there is something visibly wrong here?
I added all configurations, and in the end I received the following error:
global address overlaps with mask
Here is a snippit of my ssh session:
ASA# conf t
ASA(config)#same-security-traffic permit intra-interface (Note: Already existed, just placed here for reference)
ASA(config)#access-list COLO2OFFICENAT-1 extended permit ip 192.168.79.0 255.255.255.0 host 67.248.74.65
ASA(config)#access-list COLO2OFFICENAT-2 extended permit ip 192.168.79.0 255.255.255.0 host 209.177.206.151
ASA(config)# static (outside,outside) 209.177.206.151 access-list COLO2OFFICENAT-1
global address overlaps with mask
ASA(config)# static (outside,outside) 209.177.206.151 access-list COLO2OFFICENAT-2
global address overlaps with mask
ASA(config)#
ASA(config)# sh log | inc 67.248.74.65
Mar 25 2014 19:05:45: %ASA-6-302013: Built inbound TCP connection 86533163 for outside:192.168.79.200/54564 (192.168.79.200/54564) to outside:67.248.74.65/443 (67.248.74.65/443)
Mar 25 2014 19:05:54: %ASA-6-302014: Teardown TCP connection 86532834 for outside:192.168.79.200/54551 to outside:67.248.74.65/443 duration 0:00:30 bytes 0 SYN Timeout
Mar 25 2014 19:05:54: %ASA-6-302014: Teardown TCP connection 86532835 for outside:192.168.79.200/54552 to outside:67.248.74.65/443 duration 0:00:30 bytes 0 SYN Timeout
Mar 25 2014 19:06:15: %ASA-6-302014: Teardown TCP connection 86533163 for outside:192.168.79.200/54564 to outside:67.248.74.65/443 duration 0:00:30 bytes 0 SYN Timeout
ASA(config)#
From packet captures, I am able to see traffic arriving at SITE B, from SITE A.
However, the traffic does not get translated to the Global NAT [209.177.206.151] after it arrives, which is required in order to pass to Site C.
Config details from Site B are noted below, if you have any suggestions, your help is much appreciated!
Thanks,
Ecanyon
Below is some of the config data from Site B
ASA Version 8.2(5)
!
Interfaces
----------
interface GigabitEthernet0/0
description Outside Interface
duplex full
nameif outside
security-level 0
ip address 209.177.206.15 255.255.255.0
!
interface GigabitEthernet0/1
description Inside Network (192.168.229.0/24)
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.229.1 255.255.255.0
!
Elements
--------
object-group network COLO_IPs
network-object host 67.248.74.65
network-object host 67.248.74.68
network-object host 67.248.74.69
network-object host 67.248.74.70
network-object host 67.248.74.71
network-object host 67.248.74.59
ACLs
----
access-list inside-no-nat extended permit ip 192.168.229.0 255.255.255.0 192.168.79.0 255.255.255.0
access-list inside-no-nat extended permit ip 192.168.79.0 255.255.255.0 object-group COLO_IPs
access-list ENCDOM100 extended permit ip 192.168.229.0 255.255.255.0 192.168.79.0 255.255.255.0
access-list ENCDOM100 extended permit ip object-group COLO_IPs 192.168.79.0 255.255.255.0
access-list ENCDOM101 remark Site B connectivity to Site C
access-list ENCDOM101 extended permit ip host 209.177.206.151 object-group COLO_IPs
access-list COLO2OFFICENAT-1 extended permit ip 192.168.79.0 255.255.255.0 host 67.248.74.65
access-list COLO2OFFICENAT-2 extended permit ip 192.168.79.0 255.255.255.0 host 209.177.206.151
NATs/Routes
-----------
global (outside) 1 209.177.206.151 netmask 255.0.0.0
nat (inside) 0 access-list inside-no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 209.177.206.254 1
Site A Peer
-----------
crypto map outside_map 29 match address ENCDOM100
crypto map outside_map 29 set peer 64.190.206.98
Colo Peer
--------
crypto map outside_map 87 match address ENCDOM101
crypto map outside_map 87 set peer 67.248.74.61
04-05-2014 08:46 AM
See below
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide