Hi Julio,

I like that idea. However, let me build upon my scenario. I left out some details for simplicity, but doing this would require me to share them. The Brazil site is actually 4 separate physical sites. 3 of them use Sonicwall VPN's over broadband to the 4th (main) site which receives said VPN's on their own Sonicwall. From there I LAN route all subnets recieved from those VPN's to the Brazil Cisco 1921 (physically at same site that received the VPN's) that will connect to the P2P to the Cisco 1921 at US data center.  See attached drawing for depiction.

If I NAT on the 1921 at the main Brazil site all subnets I received over the VPN's from the other 3 branch sites, will I run into a problem since I learned about those other 3 sites's subnets over VPN's?  Shouldn't matter right, because once they traverse the internet inside the VPN and arrive on the main Brazil site Sonicwall, they get decrypted back to their private subnets when they enter the LAN. SO as long as I LAN route those subnets to the 1921, it will learn about them right?

Hi Dean, as everyone else on this thread has suggested, NAT is possible, but have you considered the implications in regard to DNS? You'll need to define DNS entries for each US DC server that is to be accessed from Brazil, this might be unmanageable and unfeasible, especially if accessing AD.

Hi RJI,

Thanks for your comment. You have a good point.  So for example, the main LAN at the main Brazil site is 192.168.12.0 /24. That is also the SSL intercept/Proxy subnet in US DC that all incoming traffic has to hit before being forwarded to the inside.  So what you're saying is an nslookup done in Brazil for a service on that SSL Intercept/Proxy would return 192.168.12.x, which would then confuse the local network because it's not going to know how to route to the US DC instance of 192.168.12.x because before the NAT point in Brazil, that subnet lives locally.  If so, I suppose I would have to advertise static NAT translations on the US DC side towards Brazil to NAT that subnet into something else as well.  They'd also have to use their own local DNS server and not use our US DC server.  

Hmmm. This is getting quite messy.  Let me take this back to the whiteboard and see what I can do.  Unfortunately there are numerous parties involved and it would be an enormous effort to re-IP these sites prior to cutover. The plan is to remove the NAT's over time, but for the interim, I need a solution where I can just flip the cable from the old MPLS to the new Oceanic Local Loop and have it work.  If I have them re-IP prior to the cutover it will break access to their current data center. And since we have 16 subnets to do, it is not feasible to re-IP all 16 of them in a single maintenance window and make the cut. 

Hi Paul,

I tried testing this and it didn't work.  Did you mean ip nat "outside" source instead?

Also, where would this be implemented? Brazil side or US side router? 

Hi Georg,

Yes, I agree. There are definitely some additional things I need to consider regarding that. I've gone back to the whiteboard to see what can be done.

Unfortunately there are numerous parties involved and it would be an enormous effort to re-IP these sites prior to cutover. The plan is to remove the NAT's over time, but for the interim, I need a solution where I can just flip the cable from the old MPLS to the new Oceanic Local Loop and have it work.