01-12-2015 12:23 PM
Hi All,
I have a scenario where i am badly stuck and do not know what to do.
I have many partners with whom i have Site-To-Site VPN connections. For most of the connections the interested traffic is only between one local host and one remote host (i.e. basically local production server - remote production server).
The requirement is that, one of our development server requires access to the remote production server using the same established VPN tunnel between local production server - remote production server.
So is there a possibility using any technology like NAT or any other to have access to the remote production server through both local production & development server ?
Find the attached network diagram for the scenario.
Kindly suggest.
01-12-2015 02:33 PM
What you describe is quite possible. To get it to work you would need to modify the environment that you show on the right side of your diagram. You would need to add a second line to the interesting traffic that would have 192.168.10.10 to 50.50.25.36
HTH
Rick
01-13-2015 03:00 AM
Hi Richards,
Thanks for your response.
The remote end is of our partners and they wont allow access from two hosts. So the solution you provide is quite obvious when the partner is agreeing but this is not the case.
Regards
@Mohammed
01-13-2015 11:24 AM
Mohammed
Then there is a conflict between your requirements and the policy of your partner. The solutions that I can think of include:
- get someone to change the requirements for both hosts to access the single remote host.
- get the partner to change their policy and allow access from two hosts.
- find some creative way that access from two hosts in your network appears as a single host to the remote partner (perhaps some kind of proxy).
HTH
Rick
01-13-2015 01:24 PM
Hi Richard,
Thanks again for your response.
Yes you are right that the requirement is little immature but i have to do this. As you said i did think of a proxy server and however we are already deploying a proxy server for filtering our outgoing traffic from all server.
Kindly see the attached scenario wherein you will understand the whole setup.
Do let me know what i am thinking you are also thinking the same and will this work in real time ?
Regards
@Mohammed
01-13-2015 01:57 PM
Mohammed
There are a couple of things here that puzzle me. In your response you say that you will be deploying a proxy server for all of your server traffic. And then the drawing has a proxy server for the two PRO and DEV servers. Is this the same proxy server? Are there to be two proxy servers? Also if you are using a proxy server do you need the static NAT for the PRO and DEV servers? I see 50.50.25.35 several places in your drawing and I wonder if that is intentional?
HTH
Rick
01-13-2015 02:38 PM
Hi Richard,
The proxy server in the drawing may or may not be used for all servers. Because i am more concerned about PRO & DEV servers at this moment that is why i stated only two servers. The proxy server does not have any access from outside so there is no need for proxy server to have static NAT and i also did not mentioned any such scenario in the drawing. Yes the PRO server need to have static NAT to have access from outside because the API's to which mobile application will be accessing are deployed in PRO Server. Similarly the developers will access DEV server API's for testing purpose and hence also required to have static NAT for access from outside.
As you can see the interesting traffic from my end is my public IP 50.50.25.35, so i have to have a NAT rule like below if am not wrong;
nat (inside,outside) 1 source static 192.168.0.30 50.50.25.35 destination static 192.168.10.10 192.168.10.10
The above NAT rule will now allow my proxy server to access the remote host and PRO server cannot. If i do not have the above rule my PRO server will have access to the remote host because while configuring VPN i did not exempt the interesting traffic from address translation. See the attached picture.
Remember there is already a NAT for PRO;
192.168.0.10 - 50.50.25.35
I hope you must have understood by now, do let me know if you have any concerns still.
Regards
@Mohammed
01-14-2015 09:42 AM
Mohammed
Thanks for the additional explanation.
HTH
Rick
01-14-2015 09:48 AM
Hi Richard,
Nice to you see back, i was waiting for you since my last post.
I hope you understood by now, so let me know what should be the conclusion.
Regards
@Mohammed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide