Re: IP NAT , VPN & ROUTING

fmugambi · ‎02-20-2025

Hello FAM!!,

Hope you are doing well.

I have topology as attached,

Site A is my primary site, site B my backup [DR].

We have clients connected via site A, via ipsec tunnels to the outside interface IP say [101.101.101.10].

Under the encryption domain we used public ip in the range of 101.101.101.0/24 to mask internal IPs. say 101.101.101.5 > 192.168.40.5/32.

We also have site-to-site ipsec vpn to our site B [connection is fine between DCs]. using the same interface outside = 101.101.101.10.

OBJECTIVE

The objective is to failover remote clients traffic to site B.

I assumed i just need to change the nat objects to now point to site b , say

101.101.101.5 > 192.168.45.5/32. this way my failovers are transparent to clients.

On doing this, encaps/decaps don form, traffic does not flow.

What could i be doing wrong? is it because site b uses the outside interface as well? the 101.101.101.10 ?

do i need to peer on site b on a different interface?

Your help is appreciated.

Thank you in advance.

Stephen Carter · ‎02-21-2025

Why do you have the 'failover' link between sites A and B - surely if site A is lost then the link to site B will be lost.

Don't you want two links from the customer - one to site A, and the other to site B, have a primary link from cust to A, then if fails - failover to Site B.

Yes, the customer may see this happen, but probably won't notice if timers/failover configured correctly.

Georg Pauwen · ‎02-21-2025

Hello,

you mentioned modifying the NAT rule to point to Site B’s internal IP, so did you update the routing for Site B to route the return traffic properly ? You are probably using default routes, but if not, check if the return traffic from site B is working.

fmugambi · ‎02-25-2025

yes, site B is able to know routes in site A, using bgp in the domain.
am redistributing static remote vpn client prefixes within the domain.

fmugambi · ‎02-27-2025

routing is all in place. site b knows about remote client routes as well.

Giuseppe Larosa · ‎02-21-2025

Hello @fmugambi ,

is the FTD on site A able to reach FTD on site B (DR) when the primary site is down ?

you are looking at the specific fault between site A FTD and site A core switch.

What if all the site A is powered off including site A FTD?

For your specific scenario the RA VPN clients need to point to a dynamic DNS URL describing:

FTD site A true outside public address

when FTD site A fails FTD Site B has to register its own outside public address to make DNS to resolve to it.

For your specific scenario you need also approppriate reverse route injection on FTD site B to be able to route back the user to FTD site A via the site to site tunnel between the two FTDs

How are the two DCs interconnected only via the FTDs or there are L2/L3 externsions for DC interconnect ?

Hope to help

Giuseppe

fmugambi · ‎02-27-2025

Allow me to attach full topology to explain,

take site A and B first.

i can failover clients to access resources in site b via changing nat objects on site a ftd to point to site b. = this works, traffic now flows to site b resources.

NB:// remember site a ,b and c communicate on this design, the objective is to make remote clients access resources on site c.

since site ftd can reach all sites, i assumed changing nat objects to point to site c, this would work as my failover to site c resources.

Hope this clarifies it.

fmugambi · ‎04-01-2025

any ides here team.

fmugambi · ‎04-02-2025

hi @Giuseppe Larosa ,

I gave a full topology diagram and explained the design, was it helpful?