cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
516
Views
0
Helpful
5
Replies

site to site hairpinning

filip00011
Level 1
Level 1

Hi, I need tp send 3 types of traffic via site to site vpn.

1. all ip traffic between MAIN and REMOTE site

2. I need to send all the TCP dest.port = 25 traffic from REMOTE site lan via VPN and then to the internet

3. I need to send all IP traffic from one IP located in REMOTE site lan via VPN and then to the internet.

I got this:

REMOTE SITE:

access-list vpn-Bensenville extended permit ip object inside-local-subnet object remote-local-subnet
access-list vpn-Bensenville extended permit tcp object inside-local any eq 25
access-list vpn-Bensenville extended permit ip object voip-server-local object voip-server-remote

nat (inside,outside) source static inside-local-subnet inside-local-subnet destination static remote-local-subnet remote-local-subnet no-proxy-arp route-lookup

nat (inside,outside) source static voip-server-local voip-server-local destination static all all no-proxy-arp route-lookup


nat (inside,outside) source static inside-local inside-local destination static all all service tcp25 tcp25

MAIN SITE:

same-security-traffic permit intra-interface

object netowrk remote-local
subnet 192.168.10.0 255.255.255.0

object netowrk inside-deset
nat (outside,outside) dynamic interface

object network voip-server-local
subnet 192.168.200.225 255.255.255.255

object network voip-server-local
nat (outside,outside) dynamic interface

access-list vpn extended permit ip object inside-local object inside-remote
access-list vpn extended permit tcp any eq 25 object inside-remote
access-list vpn extended permit ip object voip-server-remote object voip-server-local

I do not know how to configure NAT exemption on the MAIN site.

Is here anything else to configure?

5 Replies 5

Rahul Govindan
VIP Alumni
VIP Alumni

You still need a NAT exempt between the local and remote subnet on the MAIN side. Also, you need a nat for the "remote-local" object to nat to go out to the internet. You have it set for "inside-deset", not sure what this subnet is.

sorry Objects inside-deset means remote-local

object netowrk inside-deset
nat (outside,outside) dynamic interface

so I need this right? :

nat (inside,outside) source static inside-local-subnet inside-local-subnet destination static remote-local-subnet remote-local-subnet no-proxy-arp route-lookup

My question is do I need any other NAT exempt on the main side? anything for that port 25?

I'm not sure about the order of operation at this case. Is there any summary sheet for asa or cisco routers which would explain the order of operations?

Yes, you would need the dynamic nat for the port 25 traffic from that remote subnet. You also need a nat exempt statement on your local ASA between remote and local subnets, so that it bypasses your dynamic NAT statement for your local LAN traffic. This rule should ideally be above the other rules.

The ASA order of operations is given here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html

https://www.tunnelsup.com/cisco-asa-order-of-operation/

thanks;

last question

si this correct?

nat (inside,outside) source static inside-local inside-local destination static all all service tcp25 tcp25

do I need anything similar on main site?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: