[c-nsp] ASA 5505 NAT and asymmetric routing

Matthew DeSantos mdesantos22 at yahoo.com
Mon Oct 8 15:49:41 EDT 2012


This is the problem I'm having. The public servers aren't behind the asa and have to be reached via the internet. I'm trying to keep the public side public and the private (internal) stuff private. 


________________________________
 From: Bruce Pinsky <bep at whack.org>
To: Matthew DeSantos <mdesantos22 at yahoo.com> 
Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net> 
Sent: Monday, October 8, 2012 1:58 PM
Subject: Re: [c-nsp] ASA 5505 NAT and asymmetric routing
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matthew DeSantos wrote:
> All,
> 
> Hopefully I can explain this correctly. I'm having an issue with
> communication (telnet/ssh) from a public server to remote private nodes.
> The issue is the return path, private IPs can't route via the INET. So,
> my initial thought was to plug the servers into the ASA and give them
> private IPs. However, these servers actively monitor our private IPs. If
> I change the IP of the server(s) this will require a lot of manual
> changes. The private nodes will need to be updated  to allow the new
> private IP access. I'm thinking I need to configure static PAT or some
> sort of NAT. This is where I'm stuck and don't fully understand how to
> implement. The setup is below:
> 
> Public Server(s) -[ROUTER]---ASA====tunnel=====ASA--[ROUTER] Private IP
> (10.1.0.0/17)
> 
> Again, I need to allow these servers telnet and ssh access (we run
> scripts from these servers). I've been reading the ASA 5505
> configuration guide, but I'm at a stand still now. The inside and
> outside interfaces plug into my upstream router.  The servers are
> actively monitoring all the private nodes via the tunnel, but I can't
> telnet/ssh to these devices from the public servers (asymmetrical
> routing). If anyone has previous experience with this type of setup I
> would greatly appreciate some direction/assistance. 


Your drawing shows a tunnel between the ASA's.  Assuming the public servers
reside behind your ASA and don't have to be reached via the public internet
from the private IP addresses, you can simply put static routes in each of
the ASAs that point to the addresses in question over the tunnel.

- -- 
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBzFD8ACgkQE1XcgMgrtyYfxQCeLQ/1p0eUwxHutVfCpe7d3maD
/BoAnj4x8F1kMOp8qWgOVeYxHJR8t6gh
=VBsQ
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list