03-17-2017 07:30 PM
Hi, I need tp send 3 types of traffic via site to site vpn.
1. all ip traffic between MAIN and REMOTE site
2. I need to send all the TCP dest.port = 25 traffic from REMOTE site lan via VPN and then to the internet
3. I need to send all IP traffic from one IP located in REMOTE site lan via VPN and then to the internet.
I got this:
REMOTE SITE:
access-list vpn-Bensenville extended permit ip object inside-local-subnet object remote-local-subnet
access-list vpn-Bensenville extended permit tcp object inside-local any eq 25
access-list vpn-Bensenville extended permit ip object voip-server-local object voip-server-remote
nat (inside,outside) source static inside-local-subnet inside-local-subnet destination static remote-local-subnet remote-local-subnet no-proxy-arp route-lookup
nat (inside,outside) source static voip-server-local voip-server-local destination static all all no-proxy-arp route-lookup
nat (inside,outside) source static inside-local inside-local destination static all all service tcp25 tcp25
MAIN SITE:
same-security-traffic permit intra-interface
object netowrk remote-local
subnet 192.168.10.0 255.255.255.0
object netowrk inside-deset
nat (outside,outside) dynamic interface
object network voip-server-local
subnet 192.168.200.225 255.255.255.255
object network voip-server-local
nat (outside,outside) dynamic interface
access-list vpn extended permit ip object inside-local object inside-remote
access-list vpn extended permit tcp any eq 25 object inside-remote
access-list vpn extended permit ip object voip-server-remote object voip-server-local
I do not know how to configure NAT exemption on the MAIN site.
Is here anything else to configure?
03-17-2017 08:41 PM
You still need a NAT exempt between the local and remote subnet on the MAIN side. Also, you need a nat for the "remote-local" object to nat to go out to the internet. You have it set for "inside-deset", not sure what this subnet is.
03-17-2017 09:28 PM
sorry Objects inside-deset means remote-local
object netowrk inside-deset
nat (outside,outside) dynamic interface
so I need this right? :
nat (inside,outside) source static inside-local-subnet inside-local-subnet destination static remote-local-subnet remote-local-subnet no-proxy-arp route-lookup
My question is do I need any other NAT exempt on the main side? anything for that port 25?
03-17-2017 09:31 PM
I'm not sure about the order of operation at this case. Is there any summary sheet for asa or cisco routers which would explain the order of operations?
03-17-2017 10:00 PM
Yes, you would need the dynamic nat for the port 25 traffic from that remote subnet. You also need a nat exempt statement on your local ASA between remote and local subnets, so that it bypasses your dynamic NAT statement for your local LAN traffic. This rule should ideally be above the other rules.
The ASA order of operations is given here:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html
https://www.tunnelsup.com/cisco-asa-order-of-operation/
03-17-2017 10:11 PM
thanks;
last question
si this correct?
nat (inside,outside) source static inside-local inside-local destination static all all service tcp25 tcp25
do I need anything similar on main site?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: