Hi Richards,

Thanks for your response.

The remote end is of our partners and they wont allow access from two hosts. So the solution you provide is quite obvious when the partner is agreeing but this is not the case.

Regards

@Mohammed

Mohammed

Then there is a conflict between your requirements and the policy of your partner. The solutions that I can think of include:

- get someone to change the requirements for both hosts to access the single remote host.

- get the partner to change their policy and allow access from two hosts.

- find some creative way that access from two hosts in your network appears as a single host to the remote partner (perhaps some kind of proxy).

HTH

Rick

Hi Richard,

Thanks again for your response.

Yes you are right that the requirement is little immature but i have to do this. As you said i did think of a proxy server and however we are already deploying a proxy server for filtering our outgoing traffic from all server.

Kindly see the attached scenario wherein you will understand the whole setup.

Do let me know what i am thinking you are also thinking the same and will this work in real time ?

Regards

@Mohammed   

Mohammed

There are a couple of things here that puzzle me. In your response you say that you will be deploying a proxy server for all of your server traffic. And then the drawing has a proxy server for the two PRO and DEV servers. Is this the same proxy server? Are there to be two proxy servers?  Also if you are using a proxy server do you need the static NAT for the PRO and DEV servers? I see 50.50.25.35 several places in your drawing and I wonder if that is intentional?

HTH

Rick

Hi Richard,

The proxy server in the drawing may or may not be used for all servers. Because i am more concerned about PRO & DEV servers at this moment that is why i stated only two servers. The proxy server does not have any access from outside so there  is no need for proxy server to have static NAT and i also did not mentioned any such scenario in the drawing. Yes the PRO server need to have static NAT to have access from outside because the API's to which mobile application will be accessing are deployed in PRO Server. Similarly the developers will access DEV server API's for testing purpose and hence also required to have static NAT for access from outside.

As you can see the interesting traffic from my end is my public IP 50.50.25.35, so i have to have a NAT rule like below if am not wrong;

nat (inside,outside) 1 source static 192.168.0.30 50.50.25.35 destination static 192.168.10.10 192.168.10.10

The above NAT rule will now allow my proxy server to access the remote host and PRO server cannot. If i do not have the above rule my PRO server will have access to the remote host because while configuring VPN i did not exempt the interesting traffic from address translation. See the attached picture.

Remember there is already a NAT for PRO;

192.168.0.10 - 50.50.25.35

I hope you must have understood by now, do let me know if you have any concerns still.

Regards

@Mohammed

Mohammed

Thanks for the additional explanation.

HTH

Rick

Hi Richard,

Nice to you see back, i was waiting for you since my last post.

I hope you understood by now, so let me know what should be the conclusion.

Regards

@Mohammed