ASA - Port Forwarding?
mikearama
Member Posts: 749
Maybe I'm over-complicating this.
I have a DR (disaster recovery) environment for which a requirement is causing me grief. I need to forward requests for a local server to a non-local server. IE, the servers, as they're rebuilt using snapshots of our HA (high availability) servers, are already pointed to an ldap/nds server by a specific IP, which is local in our HA environment.
At DR, that server is not within our scope, so I need to set up what would amount to port forwarding on my Linksys router at home... anything pointing to the local nds server needs to get pointed to another nds server, which, though also at DR, is in another subnet.
I hope that made sense. Let me know if you have any questions, or answers.
Mike
I have a DR (disaster recovery) environment for which a requirement is causing me grief. I need to forward requests for a local server to a non-local server. IE, the servers, as they're rebuilt using snapshots of our HA (high availability) servers, are already pointed to an ldap/nds server by a specific IP, which is local in our HA environment.
At DR, that server is not within our scope, so I need to set up what would amount to port forwarding on my Linksys router at home... anything pointing to the local nds server needs to get pointed to another nds server, which, though also at DR, is in another subnet.
I hope that made sense. Let me know if you have any questions, or answers.
Mike
There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
Comments
-
Ahriakin Member Posts: 1,799 ■■■■■■■■□□You can use port based translations, Dynamic PAT, for the same thing . But are you sure you need to redirect based on port? Surely if you're planning for HA then you need to essentially redirect for the entire server (since I doubt an earthquake will just affect LDAP ). In that case just do a standard NAT on the firewall to the HA server (and rewrite DNS if that hasn't changed on the DNS server itself during the outage).
e.g. Port based
"static (inside,ha-site) tcp ha-server-ip 389 original-ip 389"
With DNS doctoring:
"static (inside,ha-site) tcp ha-server-ip 389 original-ip 389 dns"
While that will redirect the packets bear in mind you may have (likely will, I haven't tried this) issues with AD replication authentication.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place? -
mikearama Member Posts: 749Great info, Ahriakin. However, I can't get it working.
Perhaps a little clarification...
Vlan 241 --- ASA --- Vlan 222 --- Core 6504 --- Vlan 199
So the servers are rebuilt in the 241 range, and have NDS set to, say, 241.122. Our actual NDS server sits in Vlan 199, say, 199.212.
Putting the NAT rule in place {static (DR-HA,Core) 199.212 241.122} on the ASA appears to rewrite the packet, but as the 199 subnet is not directly connected, I have to assume that's my issue. The Core subnet is a 172.22.0.0 range, while vlan 199 is on the other side of the Core 6504. In this case, Natting doesn't appear to do the job as I expected, as it does with port forwarding on the Linksys.
Routing is in place throughout, and the 241 servers can ping the 199 server.
Hope that helps... cause I'm baffled.
Oh, and yeah, AD was complicated. I have a DC at DR, but it cannot see the HA subnets, so we are still able to bring up servers both here and at DR.There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.