Hi,
I have a problem which I can't get solved and I'm unsure, if the Cisco ASA is capable of give me a working solution.
Problem (see graph):
- 3x locations with Cisco ASA as edge router
- each location with a different internal address space
- locations are connected via S2S VPN in a "row" = loc1 <-> loc2 <-> loc3
- Client No. 1 of loc1 can reach servers in loc2 (of course)
- Client No. 1 cannot reach servers in loc3 (of course)
- CANNOT share encryption domain between ASA No. 1 and ASA No. 3
Not-working solution:
- NAT on ASA No. 2 like "OUTSIDE, OUTSIDE <Client No. 1 IP> <Server No. 2 IP> <Port> <Port>" do not work
- NAT on ASA No. 2 with virtual-IP from ASA No. 2 network does also not work
Thoughts:
- "not work" means, I can see connections building up on ASA No. 2 but they are not reaching ASA No. 3
- NATed traffic tries to exit via default gateway from ASA No. 2 to the "internet" and not being send through the tunnel
Working solution:
- setting up a DNAT on Server No. 1 from Client No. 1 to Server No. 2 is working fine
Graph:
+-----------------+ +-----------------+ +-----------------+ | ASA No. 1 | +-------------+ | ASA No. 2 | +-------------+ | ASA No. 3 | | | S2S | | S2S | | | ext 1.1.1.1 | EncDom: | ext 2.2.2.2 | EncDom: | ext 3.3.3.3 | | int 10.0.1.0/24 | 10.0.1.0/24 | int 10.0.2.0/24 | 10.0.2.0/24 | int 10.0.3.0/24 | | | 10.0.2.0/24 | | 10.0.3.0/24 | | +-----------------+ +-----------------+ +-----------------+ + + + | L2 | L2 | L2 | | | + + + +-----------------+ +-----------------+ +-----------------+ | Client No. 1 | | Server No. 1 | | Server No. 2 | | | | | | | | loc 10.0.1.2 | | loc 10.0.2.2 | | loc 10.0.3.2 | | | | | | | | | | | | | +-----------------+ +-----------------+ +-----------------+
No comments:
Post a Comment