VPN scenario solution required

Unanswered Question

Dear all ,

Consider 3 locations head office , branch office and canada .(rough network diagram is attached)

Head office

In head office i am having one /30 public ip and one /29 ip pool + 3 routers

R2 is internet router , R3 and R4 are DM VPN routers (all 300 branches are connected to these two )

Branch office

I am having 300 branch offices all using DMVPN and routing protocol as OSPF

Canada

All my Ecommerce servers are located here

Required solution

1.ALL branches should access e commerce server's through HO

2. establish a vpn tunnel between HO and canada (e commerce server loc)

3.All branch IP should be nated to a public ip  and forwarded to vpn tunnel

4. IPSEC tunnel will allow only one public IP - another public IP communication

Please somebody suggest me how can i achive this / where can i terminate the Canada VPN tunnel /do i need a third device to achive  this.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Thu, 09/02/2010 - 16:18

I think you can terminiate VPN from ecommerce site on R2.

on R2, configure NAT to nat all branch office IP to a public IP.

You need to use the public IP in the ACL for the VPN tunnel between HO and ecommerce site.

Setup the routing between R2, R3 and R4 accordingly.

It should fix your request.

Thank you verymuch for your valuable suggession Yudong

Could you please clarify my below queries

  1. arround 100 branches are connected to R2 as well .when a branch office tries to communicate to e-com site will it take nat statement and pass through the tunnel.
  2. when i do the vpn configuration isakmp will be  enabled on interface with ip 1.1.1.2 and the vpn acl allowed ip will be 1.1.1.4 (new ip for vpn) ----is that ok
Yudong Wu Thu, 09/02/2010 - 21:14

Answer in line

  1. arround 100 branches are connected to R2 as well .when a branch  office tries to communicate to e-com site will it take nat statement and  pass through the tunnel.

[Wu] It won't be NATed if they come into and go out on the same interface.

        Could you please explain why you would like to NAT those branch IP?

  1. when i do the vpn configuration  isakmp will be  enabled on interface with ip 1.1.1.2 and the vpn acl  allowed ip will be 1.1.1.4 (new ip for vpn) ----is that ok

[Wu] I think it should be Ok. After the packet is decrypted, the destination IP 1.1.1.4 should be nat-ed back to the branch IP and then be forwarded based on routing table. But I did not implement the same before. I would like to suggest you to run a testing in the lab.

Thank yo u again Yudong

What do you suggest i am terminating VPN on R2 router , But the problem is that in R2 router both interface is having public IP address and the router is working on routing mode. But where can i do NAT ing (BR IP's to public IP's) 

If i am introducing  a new router  router will this solve all complications

Kindly suggest me a solution.

Yudong Wu Fri, 09/03/2010 - 08:58

I don't mind if you would like to add one more router.

It does not matter if both port on R2 has public IP. You can always do the NAT on R2.

Saying you have S0 and E0 interface R2, S0 is configured as "ip nat outside" and E0 is configured as "ip nat inside". When the packet from branch site to ecommerce server is routed to E0 interface of R2, they match the NAT rule which you defined and then the source IP (branch IP) will be nat-ed.

If you add one more router, saying R5, you can place it at the similar way as R3 and R4 and move all of your branch tunnel which are terminated on R2 to this new router. So on R3, R4 and R4, you will need a route entry to forward all traffic from the brach to e-server to E0 interface of R2. They will be nat-ed there.

Again, I don't know why you would like to NAT all those branch IPs.

Hi Yudong,

I believe you didn't get my question correctly. will explain again with the attached diagram

My existing network consist of R2,R3,R4, core switch and 300 branches (starting from 192.168.1.x --- 192.168.254.x ) . My new requirement is to establish a new VPN tunnel to Canada to access E com sites.

But my problem is that Canada guys will allow only one IP address (public)  through the tunnel. so i am forced to nat all branch ip to a single public IP and that has to be forwarded through ( eg -- VPN ACL will permit only 1.1.1.4 to 3.3.3.3 , 1.1.1.4 is my nated IP address )

Please suggest me where can i terminate VPN to achive my requirments .

Yudong Wu Sat, 09/04/2010 - 07:23

I do understand you reqirement.

The only thing which I don't know is why you would like to PAT the branch IP, which you did not explain until your last post.

The other thing is that you mentioned in your first post.

"R2 is internet router , R3 and R4 are DM VPN routers (all 300 branches are connected to these two )"


So, based on the above statement, I assume that there is no VPN terminated on R2.

But later on, you said "arround 100 branches are connected to R2 as well".

My question to you is

1. On R2, do you have 3 active interfaces? two of them have public IP and are facing to the internet and the other one has private IP and is used for internal network?

2. If yes, are those 100 branches terminated on one of the interfaces with publich IP and the other public IP interface is used for internet connection?

Since you can only NAT-to one IP, NAT has to be configured on the router where ecommerce VPN is terminated.

Regarding to where ecommerce VPN can be terminated, you can use R2 if

- no branch VPN is terminated on R2

OR

- there are branch VPN terminated on R2 but you can use a different interface to terminate ecommerce VPN.

(if both VPN are terminated on the same interface, you can not NAT the IP)

Otherwise, you have to add a new router as I stated previously.

Actions

This Discussion