policy nat

prashantrecon · ‎06-26-2012

HI all,

I have firewall to that 2 router are. connected .On firewall 4 sites to site vpn are created for paricular valn range say 192..168.30.0/24

on router1 the ip is as

int fa0/01- wan link

ip address 201.124.155.17

int fa0/0

ip address 124.x..x.5-inside interface.

on firewall

int gi0/1- 0utside interface

ip addres 124..x.x.6

int gi0/0-insideinterface

ip address 172.18.x.x

On the firewall all the vpn are configured and natting is done.

My requirement is now all the vpn should be configured on router 2 but lan range should be natted on same firewall.

on secound router ip are as follows

int fa0/1

ip address 115.17.18.1-wan link

int fa0/0

ip address 124.x.x.7

Assuming I have deleted tunnels on firewall and created on router 2

Now on firewall i have done policy nat

nat(inside) 1 access-list test

global(outside) 1 124.x.x.8

access-list test permit ip object-group lanip object-group farendip

object-group network lanip

network-object 192.168.30.0 255.255.255.0

object-group network farendip (tunnel peer ip)-

network-object host 195.16.17.1

network-object host 194.1.1.3

network-object host 196.1.1.2

network -object host 40.1.1.2

on firewall i have given the route outside 124.x..x.8 255.255.255.0 124.x.x.7

I have few question regarding above config

1) Does the config is correct does it work once i create tunnels on router 2?

2) Is it possible for same lan range to configure some tunnel on firewall and some on secound router?

Ramraj Sivagnanam Sivajanam · ‎07-20-2012

Hi Bro

Please don’t take this the wrong way, but could you get a colleague of yours to write the problem description, in the near future. This is because I’m trying very hard to understand your problem here and assist you further. No worries bro, you rock :-)

Please do correct me if I’m wrong. What you’re trying to achieve here is, from all 4 of your remote sites, you want to have redundant IPSEC VPN Tunnels i.e. Primary VPN Tunnel to Cisco Router#2 and Secondary VPN Tunnel to the Cisco Firewall. If yes, then this setup cannot be achieved. In other words, it’s not possible for the same remote sites LAN network address to coexist in both the equipment’s.

Here’s what I would suggest you to do. Make both your Cisco Router#1 and Cisco Router#2 as the VPN Servers running on Cisco DMVPN. With this setup, all 4 of your remote sites will have 2 GRE over IPSEC ACTIVE/ACTIVE VPN tunnels to your HQ, and the redundancy would be seamless.

With this setup, all LAN users behind the Cisco Firewall 172.18.XXX.XXX will still be able to access the Internet and all 4 of your remote sites. Your Cisco Firewall will then be doing pure Firewalling.

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

nkarthikeyan · ‎07-21-2012

Hi Prashanth,

You have 2 Internet/WAN links terminated in the single firewall right???

Already you are running S2S vpns in your firewall with isp 1. Now if you connect your ISP 2 on the same firewall you want to use the same lan ranges to have the S2S vpn connected to a different Clients.....

Yes you can do that. But i feel firewall will not do much routing. So that is not the best idea.

LAN ip usage for different purpose can be done. Make sure that you need a specific route to connect with the client as well.

route outside1 195.16.17.0 255.255.255.0 124.x.x.8 like this for all the destination vpn site peers as well. This will make complex but it will work.

Please do rate if the given info helps.

By

Karthik