arround 100 branches are connected to R2 as well .when a branch office tries to communicate to e-com site will it take nat statement and pass through the tunnel.
[Wu] It won't be NATed if they come into and go out on the same interface.
Could you please explain why you would like to NAT those branch IP?
when i do the vpn configuration isakmp will be enabled on interface with ip 220.127.116.11 and the vpn acl allowed ip will be 18.104.22.168 (new ip for vpn) ----is that ok
[Wu] I think it should be Ok. After the packet is decrypted, the destination IP 22.214.171.124 should be nat-ed back to the branch IP and then be forwarded based on routing table. But I did not implement the same before. I would like to suggest you to run a testing in the lab.
What do you suggest i am terminating VPN on R2 router , But the problem is that in R2 router both interface is having public IP address and the router is working on routing mode. But where can i do NAT ing (BR IP's to public IP's)
If i am introducing a new router router will this solve all complications
I don't mind if you would like to add one more router.
It does not matter if both port on R2 has public IP. You can always do the NAT on R2.
Saying you have S0 and E0 interface R2, S0 is configured as "ip nat outside" and E0 is configured as "ip nat inside". When the packet from branch site to ecommerce server is routed to E0 interface of R2, they match the NAT rule which you defined and then the source IP (branch IP) will be nat-ed.
If you add one more router, saying R5, you can place it at the similar way as R3 and R4 and move all of your branch tunnel which are terminated on R2 to this new router. So on R3, R4 and R4, you will need a route entry to forward all traffic from the brach to e-server to E0 interface of R2. They will be nat-ed there.
Again, I don't know why you would like to NAT all those branch IPs.
I believe you didn't get my question correctly. will explain again with the attached diagram
My existing network consist of R2,R3,R4, core switch and 300 branches (starting from 192.168.1.x --- 192.168.254.x ) . My new requirement is to establish a new VPN tunnel to Canada to access E com sites.
But my problem is that Canada guys will allow only one IP address (public) through the tunnel. so i am forced to nat all branch ip to a single public IP and that has to be forwarded through ( eg -- VPN ACL will permit only 126.96.36.199 to 188.8.131.52 , 184.108.40.206 is my nated IP address )
Please suggest me where can i terminate VPN to achive my requirments .
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...