05-24-2023 12:57 PM
Host A will ping Host B's IP address via IPsec, but the actual responder is Host C. I just wanted to see if this kind of scenario is possible with Cisco ASAv. Host A is the client side, and Host B is a phantom IP on ASAv. However, Host C is the actual server. The intended communication is from Host A to C via IP B, as IP C is not allowed on Host A's network.
Solved! Go to Solution.
05-24-2023 03:46 PM - edited 05-24-2023 03:54 PM
flip the other way around you mentioned "as IP C is not allowed on Host A's network" why dont you present the IP C as NAT to IP address where Host A can accept it.
For Exampe
Host-C-Real-IP 192.168.1.10
Host-C-Map-IP 10.10.10.10
nat (inside,outside) source static Host-C-Real-IP Host-C-Map-IP destination static REMOTE REMOTE
!
access-list SITE-2SITE-VPN extended permit ip object Host-C-Map-IP object REMOTE
!
crypto map CMAP 1 match address SITE-2SITE-VPN
-----------------------------------------OR------------------------------------
If you want to stick with your original question in that case. configure static NAT
object network HostB
host 192.168.100.10
!
object network HostC
host 172.16.10.10
!
nat (inside,dmz) source static HostB HostC
05-24-2023 03:46 PM - edited 05-24-2023 03:54 PM
flip the other way around you mentioned "as IP C is not allowed on Host A's network" why dont you present the IP C as NAT to IP address where Host A can accept it.
For Exampe
Host-C-Real-IP 192.168.1.10
Host-C-Map-IP 10.10.10.10
nat (inside,outside) source static Host-C-Real-IP Host-C-Map-IP destination static REMOTE REMOTE
!
access-list SITE-2SITE-VPN extended permit ip object Host-C-Map-IP object REMOTE
!
crypto map CMAP 1 match address SITE-2SITE-VPN
-----------------------------------------OR------------------------------------
If you want to stick with your original question in that case. configure static NAT
object network HostB
host 192.168.100.10
!
object network HostC
host 172.16.10.10
!
nat (inside,dmz) source static HostB HostC
05-25-2023 01:47 AM
Thank you for sharing insights, much appreciated!
05-24-2023 04:46 PM - edited 05-30-2023 07:47 AM
checking
05-24-2023 11:53 PM
Thank you, Normally, we practice such that internet users can access our private IP address server using a public address and mapping it to a private one. However, for this case, instead of using the internet IP, we are going to use an IPsec VPN. My understanding is that once the client successfully completes Phase 1 and Phase 2, they should be able to access IP address B, analogous to accessing a public IP. This should then provide connectivity to IP address C. The issue here is that we don't have control over the client side, so we cannot alter their routing domain. Currently, the only segment that can be routed is to IP address B.
IP A (Client) --> ASA-A --> IPsec VPN Tunnel --> ASA-B/IP B (Phantom IP) --> IP C (Server).
05-25-2023 01:39 AM
In IPSec tunnel in your case remote and IP-B will be able to communicate but Remote side can not access IP-C. unless otherwise if you configure a route-based vpn tunnel instead of policy based vpn.
I did ask earlier if you can present IP-C as the IP-address to remote side which they think can be used will solve your issue. but you completely ignore my post.
hence given the topology above what you trying to achieve is not possible.
05-25-2023 02:04 AM - edited 05-31-2023 04:22 AM
the MHM-3 build VPN with MHM-2, the MHM-3 NATing 20.0.0.0 to 220.0.0.0 and use ACL 220.0.0.0 to 30.0.0.0
and MHM-2 use ACL 30.0.0.0 220.0.0.0
it work there is not problem
just want to confirm that
thanks
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide