I am trying out a simulation on my own at the moment to try figure out if it is possible for a Router at a branch office running DMVPN to have a NAT setting such that if anyone accesses this NAT, it will be directed to a server at the HQ office.
Here is the full picture. I have multiple spokes in my DMVPN design with a single Hub. All spokes are able to access each other so this is a full mesh design. Each routers have their own Internet access so I would have a NAT Overload rule. In the real world, two of the spokes (SPOKE A & B) needs to route via one of these spoke (SPOKE C) in order to reach the hub because latency-wise, it is way better than going direct. Because the management now wants to build more web services but allow Internet users to access via one of the the remote spokes at SPOKE A & B. Sounds easy if i create a static NAT but if I create a static NAT rule at one of the remote spokes, the return traffic will be asymmetric. Problem is that every routers will have their own Internet access, by the time the return traffic heads back, the hub router would have already routed out via its own Internet because the source IP is public.
Is there anyway that we can configure the NAT rule on the remote spokes so that it will also do a source NAT together with a destination NAT so that the return traffic will return to where it originated from (the remote spoke which has the static NAT)? Or is there any alternative solution? I don't mind hearing the pro and cons.
I went to read about all the possibilities you mentioned.
When you mentioned reverse proxy, I searched for 'cisco iOS reverse proxy' and I found a document from Cisco which talks about using WCCP. If I am not wrong, the endpoint server needs to support WCCP and certain protocols are supported (TCP80 and some others) depending on the version used. May not work.
The LB feature sounds promising but applies to Cisco's more beefier models. I have Cisco 1921 and 891 at the spokes. I tried issuing the 'ip slb' command but the feature doesn't exist. Too bad.
The last idea is the NAT idea. I am not sure how to implement this since I have already defined 'ip nat outside' and 'ip nat inside' on my outside and inside interfaces respectively.
Regarding the NAT you mentioned, did you mean doing a PAT (similar to a NAT Overload) but in the opposite direction? NAT Overload tends to be from inside translating many internal addresses to a single inside global registered IP address (public IP address). Did you mean doing a NAT Overload from my outside to inside. So my ACL would match from ANY to or something like that?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :