I had an earlier post on this subject. After that resolution was received the data center added a new wrinkle to my test plan.
The goal of this VPN test is to ping an actual server, across VPN tunnel, without the remoest possibility of causing any outage.
I have a L3 3750 switch behind my firewall and the default gateway is the firewall. I want to create a loopback ip address on this device for VPN tunnel test purposes. I then will source a ping from the loopback to the server Ip address at my remote Data Center. My AVPN links do not pass through the firewall.
Per the data center, they have routing setup that all 192.168.0.0/16/ /10.0.0.0/8 address' will be routed out their AVPN WAN link. The data center states
I need to create a unique ip address to source the pings from so it will go back out their Checkpoint fw and then the tunnel between us.
I think the loopback address could look as follows 184.108.40.206/32
If I ping the server ip addrress from the L3 switch with the loopback address as source, it will go out my AVPN WAN link because that is how routing is setup.
The question is how can I mask the destination server IP address so that the ping does not take the AVPN path but takes the fw and then the tunnel?
My thought is a 1-1 nat in the firewall for the destination DC server.
static (inside,outside) (natted server ip) (current server IP) netmask 255.255.255.255
I then add this "natted server ip" to the REMOTE NETWORK in the VPN policy.
the natted ip address would also have to be an ip outside the 192.168.0.0/10.0.0. scopes
Could this natted server ip be 220.127.116.11
I could then ping the natted server ip address from the loopback source.
One question I have is Would the remote data center have to reverse the nat on their end to allow the ping to reach the correct destination?
Please provide expert guidance for this very important issue.
You talk about a firewall and L3 switch setup. You also talk about AVPN which I am not sure what it means? Are you just referring to a separate VPN device? A simple network diagram might clear up the setup for many people reading this post.
If I have understood the setup correctly then you have some dedicated connection between your site and the datacenter site. And what you want to add is that there is a route between these networks through a L2L VPN connection also.
Though if that is the case I am still not sure how this L2L VPN would be used between the sites.
If you would truly want to achieve a redundancy between the 2 sites it would be better if you could run a Dynamic routing protocol between each connection and that would tell the L3 device on each end through which link/connection they should reach the other site.
In this setup it would seem to me that you would have to mask the IP addresses of both network to be able to use the VPN at the sametime while the actual dedicated connection is in use.