06-26-2012 12:45 PM - edited 03-11-2019 04:23 PM
HI all,
I have firewall to that 2 router are. connected .On firewall 4 sites to site vpn are created for paricular valn range say 192..168.30.0/24
on router1 the ip is as
int fa0/01- wan link
ip address 201.124.155.17
int fa0/0
ip address 124.x..x.5-inside interface.
on firewall
int gi0/1- 0utside interface
ip addres 124..x.x.6
int gi0/0-insideinterface
ip address 172.18.x.x
On the firewall all the vpn are configured and natting is done.
My requirement is now all the vpn should be configured on router 2 but lan range should be natted on same firewall.
on secound router ip are as follows
int fa0/1
ip address 115.17.18.1-wan link
int fa0/0
ip address 124.x.x.7
Assuming I have deleted tunnels on firewall and created on router 2
Now on firewall i have done policy nat
nat(inside) 1 access-list test
global(outside) 1 124.x.x.8
access-list test permit ip object-group lanip object-group farendip
object-group network lanip
network-object 192.168.30.0 255.255.255.0
object-group network farendip (tunnel peer ip)-
network-object host 195.16.17.1
network-object host 194.1.1.3
network-object host 196.1.1.2
network -object host 40.1.1.2
on firewall i have given the route outside 124.x..x.8 255.255.255.0 124.x.x.7
I have few question regarding above config
1) Does the config is correct does it work once i create tunnels on router 2?
2) Is it possible for same lan range to configure some tunnel on firewall and some on secound router?
07-20-2012 12:57 PM
Hi Bro
Please don’t take this the wrong way, but could you get a colleague of yours to write the problem description, in the near future. This is because I’m trying very hard to understand your problem here and assist you further. No worries bro, you rock :-)
Please do correct me if I’m wrong. What you’re trying to achieve here is, from all 4 of your remote sites, you want to have redundant IPSEC VPN Tunnels i.e. Primary VPN Tunnel to Cisco Router#2 and Secondary VPN Tunnel to the Cisco Firewall. If yes, then this setup cannot be achieved. In other words, it’s not possible for the same remote sites LAN network address to coexist in both the equipment’s.
Here’s what I would suggest you to do. Make both your Cisco Router#1 and Cisco Router#2 as the VPN Servers running on Cisco DMVPN. With this setup, all 4 of your remote sites will have 2 GRE over IPSEC ACTIVE/ACTIVE VPN tunnels to your HQ, and the redundancy would be seamless.
With this setup, all LAN users behind the Cisco Firewall 172.18.XXX.XXX will still be able to access the Internet and all 4 of your remote sites. Your Cisco Firewall will then be doing pure Firewalling.
P/S: If you think this comment is useful, please do rate them nicely :-)
07-21-2012 11:43 PM
Hi Prashanth,
You have 2 Internet/WAN links terminated in the single firewall right???
Already you are running S2S vpns in your firewall with isp 1. Now if you connect your ISP 2 on the same firewall you want to use the same lan ranges to have the S2S vpn connected to a different Clients.....
Yes you can do that. But i feel firewall will not do much routing. So that is not the best idea.
LAN ip usage for different purpose can be done. Make sure that you need a specific route to connect with the client as well.
route outside1 195.16.17.0 255.255.255.0 124.x.x.8 like this for all the destination vpn site peers as well. This will make complex but it will work.
Please do rate if the given info helps.
By
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide