12-06-2013 05:53 PM
12-06-2013 06:05 PM
Hi I created a sample network above to describe my situstion okay I have a main site in southamerica and a remote site in miami which is connected via ipsec vpn both sites are terminated with asa 5505 and then we have a customer that is connected to the remote site in miami and we are connected to the customer through the miami vpn connection at the customer site they have quite a few citrix servers that we access at the main site we have about 200+ workers at the main site accessing these citrix servers via a single ip address in the web browser and the applications work just fine the problem is we deployed a gfi web proxy to save bandwidth and it works well but when we open the citrix applications they are all running through the proxy and then back to the firewall then to the vpn and this causes huge problems when we have all workers connected but how the proxy works if i try to browse web pages on the local intranet it does not pass through the proxy so i was wondering if i do a nat config on the firerwall to map an inside ipaddress to the remote citrix server web interface this will prevent the citrix traffic from passing through the proxy
12-07-2013 05:57 AM
Hi,
So if I understood you correctly, you want to map an IP address located at Miami Customer site to an IP address thats part of the South America Sites local network to bypass the GFI Web Monitor?
If what I described above is the situation then could you please let us know what software you are running on the ASAs? Do you have access to all of the firewall/VPN devices in the picture or is the Miami Customer device under their management only?
- Jouni
12-07-2013 06:44 AM
Hey yes you are correct, we are using the latest asa ios which i think is 9.0.4 and the asa at the miami customer site is under their management
12-07-2013 06:47 AM
i saw someone did a similar config on a cisco router with nat where they mapped an unused local ip address to an actual ip address of a server on the internet and i worked but not sure if it can be done with asa's if not ill just take down the proxy for the time.
12-07-2013 06:50 AM
Hi,
So if the aim is to NAT the actual destination IP address located at Miami Customer Site to an IP address located at South America Site then I think the configuration should look something like this
object network SA-LAN
subnet 192.168.10.0 255.255.255.0
object network SA-DEST-NAT
host 192.168.10.254
object network SA-DEST-REAL
host 10.10.10.10
nat (inside,outside) 1 source static LAN LAN destination static SA-DEST-NAT SA-DEST-REAL
The above presumes that the South America Site LAN network is 192.168.10.0/24 and the chosen NAT IP address for the destination is 192.168.10.254 from that network. The Miami Customer Site is presumed to be 10.10.10.0/24 and the actual destination address there to be 10.10.10.10
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide