11-29-2010 08:39 PM
Ok here is my situation
Site A: static IP, Cisco PIx 515 running PIX 8.04
Site B: dynamic IP, running either PIX 501 or 1721 router with security image
EZVPN connection from B to A
I want all internet traffic from site B to go out Site B's local internet link EXCEPT email, which I want routed through site A's internet connection. Site A has a single server for exchange, AD, dns, etc. I only want email traffic, not all traffic from the server at site B to go out Site A's internet connection. Also, I want inbound email designated for Site B to go through Site A's extra static IP(I have the extra static, and I know what needs to be done MX wise).
Can this be done this way, or do I have to setup another IOS based device at Site A, and use a GRE tunnel?
Basically, also in general, if I want to accept a connection and Site A, and forward to Site B, does this require route maps or GRE?(IE if site B is hosting a web server, but want to piggy back off Site A's static)/
12-01-2010 03:53 PM
Ryan,
You mention one, which basically says all email traffic from remote end to anywhere should be routed via site A but:
Does remote site have a server of it's own? Or is this user traffic?
Is exchange acting as an MTA or any other server for that mail traffic?
Should incoming traffic be transported to exchange at site A or starigh off to the internet by using the static IP.
I have my doubts you'd need to setup a PoC for this before implementing on large scale.
For sure if you use ports on crypto access-list on PIX/ASA following will be seen:
WARNING: access-list has port selectors. This may impact performance.
I'm not totally sure what the effect on performance or overall stability will be.
If you don't midn I'll have one of the guys here test this in the lab tomorrow and get back to you.
Unless you found an answer already?
Marcin
12-02-2010 06:14 AM
Ryan,
I configured a similar example using http 80, which can help you.
Scenario:
FW1: outside 10.0.01/24 FW2: outside 10.0.0.2/24
Inside 192.168.1.0/24 inside 192.168.2.0/24
VPN site to site between FW1 and FW2
Connected to FW2 is our HTTP server R2 (which is another router with http service enabled), connections to FW1 on http 80 will be forward to R2 through the VPN site to site, to finally reach the http server R2, please see the attached network diagram for a better understanding.
In addition you may also find attached the configs of each device in case you want to try it yourself
Key commands:
FW1
NAT for http service on extra public IP address, please notice 10.0.0.125 is not configure on any interface, it is no necessary.
# static (outside,outside) tcp 10.0.0.125 www 192.168.2.2 www netmask 255.255.255.255
Access lists, in order to allow traffic
# same-security-traffic permit intra-interface
# access-list OUTSIDE_IN extended permit tcp any host 10.0.0.125 eq www
# access-group OUTSIDE_IN in interface outside
For VPN settings we need to match this kind of traffic, we can add a second line for our VPN access-list (the one used in the crypto-map)
# access-list VPN extended permit tcp any host 192.168.2.2 eq www
FW2
NAT for http service being received on the outside interface with destination 192.168.2.2
# static static (inside,outside) tcp 192.168.2.2 www 192.168.2.2 www netmask 255.255.255.255
Once again, for VPN settings we need to match this kind of traffic, we can add a second line for our VPN access-list (the one used in the crypto-map)
access-list VPN extended permit tcp host 192.168.2.2 eq www any
Nelson
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide