Solved

Rerouting of VPN Traffic

Posted on 2014-01-23
6
418 Views
Last Modified: 2014-01-23
Have a bizarre request:

2 Sites are connected via VPN Tunnel. Site 2 has a private circuit for internal users. Traffic from internal users in Site 2 goes from inside to private line and gets PATed there. The request is:
Users in Site 1 to be able to access the private circuit in Site 2 via the VPN Tunnel. Configuration has been done so that if Users in Site 1 initiate traffic to the Private Line Subnets, this traffic goes via the VPN Tunnel and reaches Site 2 (outside interface where it gets terminated). Issue is that after VPN traffic reaches Site 2, it doesn't go via the Private Line interface or to be precise, it gets routed but is dropped due to "no translation found for source outside destination private line."
Have tried all sorts of NAT, PAT and Static translations with no success. Was able to make it work...but all internal traffic to the outside stopped working :-) This was done through "nat (outside) 10 Site1UsersSubnet outside"
Any suggestions will be appreciated. ASA is 5505 with 8.3 IOS and nat-control enabled.
0
Comment
Question by:Strinalena
  • 3
  • 3
6 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39804510
First of all I would suggest updating to the 9.1 branch. NAT is so much more evolved in that release.

Secondly what you want can be done easily. When the traffic reaches the private line, is there a requirement that the source address is from Site1 or is it ok if the source address is the inside interface IP of the ASA at site 2?
0
 

Author Comment

by:Strinalena
ID: 39804539
Thanks for the quick response! Can certainly raise the question about the upgrade with Management but doubt that they will accept as all else is working :-)
No requirement for the source address, as long as Users in Site1 are able to get to the Private Line subnets, all is fine. At the moment, users in Site 2 go via inside - private and configuration is:
nat (inside) 10 0.0.0.0 0.0.0.0
global (private) 10 10.37.237.252
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39804566

1

Make sure that the private LAN network segment is sent over the VPN by adding it in the crypto map

2

Create a NAT statement on the site 2 ASA:
nat (outside,inside) source dynamic SITE1-NETWORK interface destination static PRIVATE-LAN-NETWORK PRIVATE-LAN-NETWORK

3

Add a route to the PRIVATE-LAN-NETWORK
route inside PRIVATE-LAN-NETWORK SUBNETMASK ROUTERIP
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:Strinalena
ID: 39804585
Apologies - have made a mistake - just checked and the ASA in Site 1 Is 5505 but there is a PIX in site 2 - 515E - IOS 6.1. Do you think this will be possible?
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 500 total points
ID: 39804607
I don't know if that is possible with a PIX515E. It will work with a 5505.
0
 

Author Comment

by:Strinalena
ID: 39804626
Thanks - I have tried so many things an couldn't make it work. Will just ask the company to get new ASAs for this site. Sorry again for the false information and thanks for your help!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Layer 2 versus layer 3 10 88
Reseller Hosting 2 91
How to remotely connect to a pc that got stuck middle restart? 94 142
Home lab datacenter 9 53
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question