03-04-2013 03:47 AM
Hi,
I need to know whether the following would be possible to do on both an ASA or Cisco router:
I have 3 sites. A, B and C.
Site A have 10.1.1.0/24
Site B have 192.168.1.0/24
Site C have 192.168.1.0/24
Clients on site A needs to be able to connect to hosts on both site B and C.
Site B and C will never have to connect to A, B or C.
Firewall at site B and C cannot do any sourcenatting. They can only setup one simple IPSEC tunnel.
The Clients at site A would connect to hosts at site B on say 172.16.1.0/24 and hosts on site C on 172.16.2.0/24.
All traffic destined for site B and C need to appear from a single Public IP in our available IP's.
Is it possible to do all the natting required on the ASA or router on site A so that the firewalls at site B and C never has to know about the natting going on?
Thanks in advance.
03-04-2013 11:45 AM
Site A have 10.1.1.0/24
VPN Site B ACL 1
permit ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255
VPN Site C ACL 2
permit ip 10.1.1.0 0.0.0.255 192.168.3.0 0.0.0.255
Site B have 192.168.1.0/24
Nat Whole Subnet of 1.x with 2.x
.
NAT Pool
ip nat pool POOLSITEA 192.168.2.1 192.168.2.254 prefix-length 24 type match-host
NAT ACL
permit ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255
ip nat inside source list NAT ACL pool NAT Pool
VPN ACL WILL BE
permit ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Site C have 192.168.1.0/24
NAT Pool
ip nat pool POOLSITEA 192.168.3.1 192.168.3.254 prefix-length 24 type match-host
NAT ACL
permit ip 192.168.3.0 0.0.0.255 10.1.1.0 0.0.0.255
ip nat inside source list NAT ACL pool NAT Pool
VPN ACL WILL BE
permit ip 192.168.3.0 0.0.0.255 10.1.1.0 0.0.0.255
Hope so u understand....
*** Do Rate Helpful Posts***
03-04-2013 01:15 PM
Thanks for your reply.
As far as I can tell in your example you require the firewall or router at site b and c to do soucenatting.
Im looking for a method to avoid that so that site b and c will only require one SA with the a public ip from site a in one end and 192.168.1.0/24 in the other.
So I need the router of firewall at site a to have two identical SA and still by recognizing what virtual natted ip segment the client have sent traffic to, be able to redirect the traffic to the right site.
For Example:
Traffic to 172.16.1.0/24 should be redirected to site b via a SA like 2.2.2.2 <-> 192.168.1.0/24
Traffic to 172.16.2.0/24 should be redirected to site c via a SA like 2.2.2.2 <-> 192.168.1.0/24
Are there any possible way to do this? Maybe via multiple context or the like on a router.
Best Regards
Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide