Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
959
Views
0
Helpful
4
Replies

issue of redirecting vpn traffic to proxy system using NAT over VPN

Go to solution
Mohammedomar05046
Level 1
Level 1

‎12-19-2020 05:52 AM

Hi colleagues
I need your supports on this scenario, I have made site to site IPsec vpn configuration with remote office, this office send some traffic to specific system (system A) in my network which has ip 192.168.1.30, and i want this traffic go through other system (system B IP 172.10.110.27), so this system will receive the traffic from remote office and send it to system A and then recieve reply from system A and send back to FW where vpn configuration done. but i need all of this scenario happened in transparent so remote offic just send to system A IP without make any modification or know about this change.

I tried to configure destination NAT in the incoming interface ( NAT source IP: remote office host IP, Destination IP:192.168.1.30 , Translated destination:172.10.100.27) everything goes smootly but in return when system B send the reply that recieved from A  to remote office the routing happened and IPsec encapsulation done before NAT (source IP not change to be system A 192.168.1.30) so get SPI related to 172.10.100.27 not to desired one 192.168.1.30

from remote office they recievd packet with desired IP details (source IP:192.168.1.30, destination IP:remote office host IP) but  with different SPI not belongs to source subnet in VPN ACL

 

can you help to solve this issueUntitled Diagram-Page-1.png

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎12-19-2020 04:12 PM

I think about this issue last two days,
OK,
let make one change,
we will config NAT in router A,

this make 
User -ASA - router A -Server A 
now the return 
Server B-Router B-Router A (NAT to same ip)-ASA -User 

here the ASA see traffic come from router A ip and server B is hidden behind the NAT, and hence the ASA use same IPSec Proxy SPI and no problem.
try this way

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-19-2020 10:56 AM

As per my understanding, you already have the same post running, can not remember the number,

 

you need to be sure your Traffic flows that to work. You can not have sent to one IP Address and other IP response, since that will be detected in FW and Dropped.

 

if the path is outside----system---system B (flow back system B -system A ---Outside) - not the other way around?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Mohammedomar05046
Level 1
Level 1

‎12-19-2020 11:05 AM

but ,I though using NAT  I Can change source IP to be system A instead of System B, so the remote office send that same system response (remote office send to system A and system A response because used NAT ti retrieval correct packet format)

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Mohammedomar05046

‎12-20-2020 02:22 AM

As mentioned we are still not clear, what exactly you trying to do here ..we only suggested based on information.

 

You do have overlap IP address between site, so you need to mitigate with different NAT IP address in the middle.

 

then what is the application you like to do asymmetric, but FW very intelligently when the packet was not inspected then it will be discarded, that is a basic feature of FW.

 

Other Option as suggested you need to control path control where the packet coming need to back the same way to work

 

if this wrong of my understanding please do explain. with more 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎12-19-2020 04:12 PM

I think about this issue last two days,
OK,
let make one change,
we will config NAT in router A,

this make 
User -ASA - router A -Server A 
now the return 
Server B-Router B-Router A (NAT to same ip)-ASA -User 

here the ASA see traffic come from router A ip and server B is hidden behind the NAT, and hence the ASA use same IPSec Proxy SPI and no problem.
try this way

0 Helpful
Customers Also Viewed These Support Documents