[c-nsp] ASA 5505 NAT and asymmetric routing
Bruce Pinsky
bep at whack.org
Mon Oct 8 13:58:23 EDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Matthew DeSantos wrote:
> All,
>
> Hopefully I can explain this correctly. I'm having an issue with
> communication (telnet/ssh) from a public server to remote private nodes.
> The issue is the return path, private IPs can't route via the INET. So,
> my initial thought was to plug the servers into the ASA and give them
> private IPs. However, these servers actively monitor our private IPs. If
> I change the IP of the server(s) this will require a lot of manual
> changes. The private nodes will need to be updated to allow the new
> private IP access. I'm thinking I need to configure static PAT or some
> sort of NAT. This is where I'm stuck and don't fully understand how to
> implement. The setup is below:
>
> Public Server(s) -[ROUTER]---ASA====tunnel=====ASA--[ROUTER] Private IP
> (10.1.0.0/17)
>
> Again, I need to allow these servers telnet and ssh access (we run
> scripts from these servers). I've been reading the ASA 5505
> configuration guide, but I'm at a stand still now. The inside and
> outside interfaces plug into my upstream router. The servers are
> actively monitoring all the private nodes via the tunnel, but I can't
> telnet/ssh to these devices from the public servers (asymmetrical
> routing). If anyone has previous experience with this type of setup I
> would greatly appreciate some direction/assistance.
Your drawing shows a tunnel between the ASA's. Assuming the public servers
reside behind your ASA and don't have to be reached via the public internet
from the private IP addresses, you can simply put static routes in each of
the ASAs that point to the addresses in question over the tunnel.
- --
=========
bep
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBzFD8ACgkQE1XcgMgrtyYfxQCeLQ/1p0eUwxHutVfCpe7d3maD
/BoAnj4x8F1kMOp8qWgOVeYxHJR8t6gh
=VBsQ
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list