cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2825
Views
0
Helpful
4
Replies

How to Port Forward over a VPN?

robertpsitro
Level 1
Level 1

I one site in NY that is connected via L2L VPN to a data center. I also have one site in LA that is connected via L2L VPN to the same data center. How do I go about port forwading traffic from the NY site to the LA site via the VPN tunnels to the data center?

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

What do you mean by port forwarding from NY to LA?

Do you mean to say you would like to access LA site from NY, and vice versa through the VPN tunnel to the data center?

If that is the case, then you can add crypto ACL for those site as follows:

On NY VPN tunnel to Data Center:

- crypto ACL: source: NY subnet, destination: LA subnet

- NAT exemption: source: NY subnet, destination: LA subnet

On LA VPN tunnel to Data Center:

- crypto ACL: source: LA subnet, destination: NY subnet

- NAT exemption: source: LA subnet, destination: NY subnet

On Data Center VPN tunnel to NY:

- crypto ACL: source: LA subnet, destination: NY subnet

On Data Center VPN tunnel to LA:

- crypto ACL: source: NY subnet, destination: LA subnet

If you have ASA on your Data Center, then also add: same-security-traffic permit intra-interface

if 2 ports are needed for each service in NY adn the same 2 ports in LA could I use port forwarding though?

Not quite sure by what you mean by 2 ports needed in NY and LA. Can you please explain?

mikull.kiznozki
Level 1
Level 1

if my understanding is right you have 2 tunnels.

NY---------L2L--------------DC

LA-----------L2L--------------DC

to route trafffic from NY to LA using the DC ASA do the below:

on the NY to DC L2L configs:

at NY --add the LA network as the remote network in the cry map

at DC -- add the LA network as the local network in the cry map

in the LA to DC L2L configs

at LA --add the NY network as the remote network in the cry map

at DC --add the NY network as the local network in the cry map

if you have no current VPN filters on both the L2L tunnel configs, the traffic from LA will hit NY thru the DC ASA.

PS: your NAT exemptions have to be perfect as well to achieve the above.

HTH

OOpps. didn't see Jen's reply there. I basically repeated what she said. that would do it for you Rob. no other fancy ports you need