I'm having a hard time getting this to work. I know exactly what the problem is, I just don't know of a decent workaround. I have a 3620 which is at my corporate office. On the LAN side of that router is our trusted, private network. That router provides NAT services to everyone on it's LAN side -- employee workstations. The WAN side connects into my core. Via the core, you hit the mail servers, other servers and also the internet is reached by traversing the core.
The problem is that I want to setup this 3620 to terminate IPSec VPNs via the VPN Client as well. Setting up the VPNs aren't the problem, the problem is NAT. FE0/0 is the WAN side of the 3620 -- ip nat outside. FE0/1 is the LAN side of the 3620 -- ip nat inside. The problem is that the IPSec Clients come in on FA0/0 (via the core) and get an RFC1918 address from a pool. This IP is not routable through the rest of the core so they need to be natted to reach the mail servers and other company assets. That can't be done because that interface (FE0/0 or the WAN interface) is already configured with ip nat outside.
The only workaround I can see is to setup vlans on FA0/0. vlan 10 would be the WAN vlan with ip nat outside, vlan 20 would be the IPSec vlan with ip nat inside and FA0/1 would have no vlans -- rather it would just be the interface connected to the workstations in the office.
Oh, I'm also using IPSec redundancy via HSRP to add a little more complexity to it. If I wasn't, I could use loopbacks but then I have no redundancy, rather manual switchover between servers by the clients, which sucks! :(
I'm pretty sure this VLAN workaround would work, but I'm hoping there is a more elegant solution than configuring VLANs all over the place. I'm hoping there is a configuration switch somewhere that takes this sort of configuration into account.
I could redistribute the RFC1918 space assigned to IPSec users into my IGP and in turn throughout my core so it would no longer require natting, but that takes away from some of the security, no?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...