|
Author
|
Topic: vpn
|
mamo
Specialist
Member # 12848
Rate Member
|
posted May 27, 2012 11:49 PM
Dear all,
Can you please assist on this:
lan----asa1-----internet-----asa2----internt ---asa3
there is no private ips all publics, there is no nat. lan can go to internet after asa1, but policies require that they must go through vpn to asa2, get in/out on outside interface so they can be controlled on asa2. how can this achieved? your inputs are greatly appreciated.
{there should not be any global (outside), nat (outside) }
Mamo
Posts: 90 | From: usa | Registered: Jul 2004
| IP: Logged
|
|
theevilmuffin
I need a life
Member # 23191
Member Rated:
|
posted May 28, 2012 01:02 AM
put a default route on asa1 to the peer tunnel on asa2,
put a route on asa1 to the physical tunnel of asa2
this should form the vpn and all traffic will flow to asa2
hairpin on asa2 for internet traffic,(I think that you will need nat here, or else the isp will send the return traffic to asa1, not asa2)
cheers
Posts: 1065 | From: UK | Registered: Sep 2007
| IP: Logged
|
|
mamo
Specialist
Member # 12848
Rate Member
|
posted May 28, 2012 07:55 AM
Thank you for your reply my friend.
Are you talking about ip on outside interface for asa2 (peer tunnel on asa2) and outside interface on asa2 (physical tunnel of asa2)?
also traffic needs to go to asa3 from outside interface on asa2 (by policy, no way we can utilise nat, nat-control is disabled. Traffic from asa1 needs not to go to lan behind asa2
any input please?
Posts: 90 | From: usa | Registered: Jul 2004
| IP: Logged
|
|
|
UBBFriend: Email this page to someone!
Printer-friendly view of this topic