I have two ASA firewalls on different subnets, each with thier own internet connection. An ipsec tunnel is setup between my company and another company that terminates on one of my ASA firewalls. The remote end of the tunnel will not support a second tunnel endpoint for redundancy.
Because of this I was wondering if it is possible to route the packets that establish the tunnel out the second firewall and Simply NAT the source address to the address of my primary firewalls outside address. The tunnel is setup to be established by interesting traffic originating from my company's side.
My ISP, in the event my primary connection goes down, will route packets destined for my tunnel endpoint to my second firewalls internet connection. I figure if I can just NAT the tunnel endpoint address(destination address) to the assigned address on my second firewalls outside interface, that I could establish the tunnel this way. Anyone know if this is supported? I know that about 10 years ago it wasnt but I heard it can be done now.
It should work.
I've seen it work like that at least in cisco equipment.
Also I think that if you see this problem with NAT, should be fixed by NAT-T (when the devices sense that there's a NAT device in the path, packets 5 and 6 for key-exchange go in UDP 4500).
It seems to be that it should work.