Sunday, March 4, 2018

Cisco ASAs: Forwarding Traffic via S2S through another S2S VPN

Hi,

I have a problem which I can't get solved and I'm unsure, if the Cisco ASA is capable of give me a working solution.

Problem (see graph):

  • 3x locations with Cisco ASA as edge router
  • each location with a different internal address space
  • locations are connected via S2S VPN in a "row" = loc1 <-> loc2 <-> loc3
  • Client No. 1 of loc1 can reach servers in loc2 (of course)
  • Client No. 1 cannot reach servers in loc3 (of course)
  • CANNOT share encryption domain between ASA No. 1 and ASA No. 3

Not-working solution:

  • NAT on ASA No. 2 like "OUTSIDE, OUTSIDE <Client No. 1 IP> <Server No. 2 IP> <Port> <Port>" do not work
  • NAT on ASA No. 2 with virtual-IP from ASA No. 2 network does also not work

Thoughts:

  • "not work" means, I can see connections building up on ASA No. 2 but they are not reaching ASA No. 3
  • NATed traffic tries to exit via default gateway from ASA No. 2 to the "internet" and not being send through the tunnel

Working solution:

  • setting up a DNAT on Server No. 1 from Client No. 1 to Server No. 2 is working fine

Graph:

 +-----------------+ +-----------------+ +-----------------+ | ASA No. 1 | +-------------+ | ASA No. 2 | +-------------+ | ASA No. 3 | | | S2S | | S2S | | | ext 1.1.1.1 | EncDom: | ext 2.2.2.2 | EncDom: | ext 3.3.3.3 | | int 10.0.1.0/24 | 10.0.1.0/24 | int 10.0.2.0/24 | 10.0.2.0/24 | int 10.0.3.0/24 | | | 10.0.2.0/24 | | 10.0.3.0/24 | | +-----------------+ +-----------------+ +-----------------+ + + + | L2 | L2 | L2 | | | + + + +-----------------+ +-----------------+ +-----------------+ | Client No. 1 | | Server No. 1 | | Server No. 2 | | | | | | | | loc 10.0.1.2 | | loc 10.0.2.2 | | loc 10.0.3.2 | | | | | | | | | | | | | +-----------------+ +-----------------+ +-----------------+ 


No comments:

Post a Comment