 |
|
| Register | Practice Exams | TechNotes | Members List | Search | Today's Posts | Mark Forums Read |
| |||||||
 |
| | Thread Tools |
| Senior Member  Join Date: May 2007 Location: Oshawa, Ontario
Posts: 585
Certifications: MCSE, CCNA:Sec, CCNP  |
 ASA - Port Forwarding? Maybe I'm over-complicating this. I have a DR (disaster recovery) environment for which a requirement is causing me grief. I need to forward requests for a local server to a non-local server. IE, the servers, as they're rebuilt using snapshots of our HA (high availability) servers, are already pointed to an ldap/nds server by a specific IP, which is local in our HA environment. At DR, that server is not within our scope, so I need to set up what would amount to port forwarding on my Linksys router at home... anything pointing to the local nds server needs to get pointed to another nds server, which, though also at DR, is in another subnet. I hope that made sense. Let me know if you have any questions, or answers. Mike __________________ There are only 10 kinds of people... those who understand binary, and those that don't. | ||
|  |
|
| SupremeNetworkOverlord Moderator  Join Date: Oct 2005 Location: An Irishman at bay amongst Rednecks
Posts: 1,364
Certifications: CCIE #23276 - Security , CCSP,CCNA,MCSE 2003: Security,LPIC-1  |
You can use port based translations, Dynamic PAT, for the same thing . But are you sure you need to redirect based on port? Surely if you're planning for HA then you need to essentially redirect for the entire server (since I doubt an earthquake will just affect LDAP  ). In that case just do a standard NAT on the firewall to the HA server (and rewrite DNS if that hasn't changed on the DNS server itself during the outage).e.g. Port based "static (inside,ha-site) tcp ha-server-ip 389 original-ip 389" With DNS doctoring: "static (inside,ha-site) tcp ha-server-ip 389 original-ip 389 dns" While that will redirect the packets bear in mind you may have (likely will, I haven't tried this) issues with AD replication authentication. __________________ We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place? | ||
|
| |
| Senior Member Join Date: May 2007 Location: Oshawa, Ontario
Posts: 585
Certifications: MCSE, CCNA:Sec, CCNP |
Great info, Ahriakin. However, I can't get it working. Perhaps a little clarification... Vlan 241 --- ASA --- Vlan 222 --- Core 6504 --- Vlan 199 So the servers are rebuilt in the 241 range, and have NDS set to, say, 241.122. Our actual NDS server sits in Vlan 199, say, 199.212. Putting the NAT rule in place {static (DR-HA,Core) 199.212 241.122} on the ASA appears to rewrite the packet, but as the 199 subnet is not directly connected, I have to assume that's my issue. The Core subnet is a 172.22.0.0 range, while vlan 199 is on the other side of the Core 6504. In this case, Natting doesn't appear to do the job as I expected, as it does with port forwarding on the Linksys. Routing is in place throughout, and the 241 servers can ping the 199 server. Hope that helps... cause I'm baffled. Oh, and yeah, AD was complicated. I have a DC at DR, but it cannot see the HA subnets, so we are still able to bring up servers both here and at DR. __________________ There are only 10 kinds of people... those who understand binary, and those that don't. | ||
|
| |
| Bookmarks |
 |
|
« Previous Thread
|
Next Thread »
| Thread Tools | |
| |
All times are GMT. The time now is 07:03 AM.
