I am running a hub and spoke site-to-site VPN with a few branches on 2611's. My plan is to add a screening Router in the hub location (which is an extra 2611) in front of the present 2611 creating a DMZ.
The new screening router will hold the public IP's and be performing NAT. I have 5 static IP's to use.
Will i be able to allow GRE and IPSEC through the screener and terminate the tunnels on the inside router or will i have to terminate them on the screening router? Any suggestions how to set this up?
Yep, you can do this. The NAT will have to be a one-to-one static NAT translation, not PAT and not dynamic out of a pool of addresses. The spokes "tunnel dest" will all point to the NAT'd address on the screening router. The inside hub router simply points to the actual spoke addresses, nothing changes on that side.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...