Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
770
Views
0
Helpful
1
Replies

Providing vpn access to customer to all of my vpn traffic

howithink
Level 1
Level 1

‎03-29-2019 10:49 AM

hello,

We have a vendor that does monitoring for us. We have a site to site VPN tunnel with them using Cisco ASA 5515-x. In order to monitor remote locations for us, they want access to all of our 200+ site to site tunnels so they access those devices for monitoring. At one point this was working and then a new FW was put in place and I cannot duplicate it.

I understand that a hairpin can be used, but for that Cisco is telling me that I will have to reach out to all 200+ sites to add this vendor VPN traffic. I do not want to do this.

 

In the past when it was working, someone had used an outside, outside nat and natted the traffic to an IP on our end (10.0.0.10) and traffic would be natted to this IP and then go out. In essence shortcut to all remote locations since our inside ip is already exempt to all 200+ site.

 

ex: nat (outside,outside) source static 10.220.xx.xx 10.220.xx.xx destination static 10.0.0.10(our inside range) 10.250.250.10 (vendor)

 

this was working, but for the life of me, i cannot duplicate this on the new FW. What can i do?

Labels:
0 Helpful
1 Reply 1

balaji.bandi
Hall of Fame
Hall of Fame

‎03-29-2019 01:27 PM

Stil you can monitor sameway the way you used to before, can you provide show run your HO side and 1 from vendor config to check how the rules setup done.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents