Re: port forward/PAT to host behind remote VPN endpoint

ryancolson · ‎11-29-2010

Ok here is my situation

Site A: static IP, Cisco PIx 515 running PIX 8.04

Site B: dynamic IP, running either PIX 501 or 1721 router with security image

EZVPN connection from B to A

I want all internet traffic from site B to go out Site B's local internet link EXCEPT email, which I want routed through site A's internet connection. Site A has a single server for exchange, AD, dns, etc. I only want email traffic, not all traffic from the server at site B to go out Site A's internet connection. Also, I want inbound email designated for Site B to go through Site A's extra static IP(I have the extra static, and I know what needs to be done MX wise).

Can this be done this way, or do I have to setup another IOS based device at Site A, and use a GRE tunnel?

Basically, also in general, if I want to accept a connection and Site A, and forward to Site B, does this require route maps or GRE?(IE if site B is hosting a web server, but want to piggy back off Site A's static)/

Marcin Latosiewicz · ‎12-01-2010

Ryan,

You mention one, which basically says all email traffic from remote end to anywhere should be routed via site A but:

Does remote site have a server of it's own? Or is this user traffic?

Is exchange acting as an MTA or any other server for that mail traffic?

Should incoming traffic be transported to exchange at site A or starigh off to the internet by using the static IP.

I have my doubts you'd need to setup a PoC for this before implementing on large scale.

For sure if you use ports on crypto access-list on PIX/ASA following will be seen:

WARNING: access-list has port selectors. This may impact performance.

I'm not totally sure what the effect on performance or overall stability will be.

If you don't midn I'll have one of the guys here test this in the lab tomorrow and get back to you.

Unless you found an answer already?

Marcin

ngull · ‎12-02-2010

Ryan,

I configured a similar example using http 80, which can help you.

Scenario:

FW1: outside 10.0.01/24 FW2: outside 10.0.0.2/24

Inside 192.168.1.0/24 inside 192.168.2.0/24

VPN site to site between FW1 and FW2

Connected to FW2 is our HTTP server R2 (which is another router with http service enabled), connections to FW1 on http 80 will be forward to R2 through the VPN site to site, to finally reach the http server R2, please see the attached network diagram for a better understanding.

In addition you may also find attached the configs of each device in case you want to try it yourself

Key commands:

FW1

NAT for http service on extra public IP address, please notice 10.0.0.125 is not configure on any interface, it is no necessary.

# static (outside,outside) tcp 10.0.0.125 www 192.168.2.2 www netmask 255.255.255.255

Access lists, in order to allow traffic

# same-security-traffic permit intra-interface

# access-list OUTSIDE_IN extended permit tcp any host 10.0.0.125 eq www

# access-group OUTSIDE_IN in interface outside

For VPN settings we need to match this kind of traffic, we can add a second line for our VPN access-list (the one used in the crypto-map)

# access-list VPN extended permit tcp any host 192.168.2.2 eq www

FW2

NAT for http service being received on the outside interface with destination 192.168.2.2

# static static (inside,outside) tcp 192.168.2.2 www 192.168.2.2 www netmask 255.255.255.255

Once again, for VPN settings we need to match this kind of traffic, we can add a second line for our VPN access-list (the one used in the crypto-map)

access-list VPN extended permit tcp host 192.168.2.2 eq www any

Nelson