Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
0
Helpful
6
Replies

NAT by Source and Destination

hs08
VIP
VIP

‎03-20-2024 04:21 AM

Hello

I have topology like below with details :

  • Have 2 site with subnet 10.7.0.0/16 for LAN-1 and 10.38.0.0/16 for LAN-2
  • Both site have VPN site to site from the firewall to the Azure. Azure subnet is 10.200.0.0/16
  • Both site have WAN connection use R1 and R2
  • Traffic from LAN-1 if want access to azure will pass thru CORE-1 - FW1 - Azure
  • Traffic from LAN-2 if want access to azure will pass thru CORE-2 - FW2 - Azure

Now i want to ask if i have problem on INT2 i want to change the routing on CORE-2 so traffic from 10.38.0.0/16 to 10.200.0.0/16 will be routed to R2 -R1 - C1 - FW1 - Azure.

Beside that i also want to make an NAT on CORE-1 with this conditions:

  • Traffic from 10.38.0.0/16 to 10.200.0.0/16 will be natted to 10.7.100.100 for example, but don't nat for other destination
  • Traffic from 10.7.0.0.0/16 to 10.200.0.0/16 will not natted.

So is my requirements is possible? 

hs08_0-1710933067775.png

 

Labels:
0 Helpful
6 Replies 6

Torbjørn
VIP
VIP

‎03-20-2024 04:53 AM

It is likely possible to achieve what you are describing depending on your devices. I am however not sure that i see what you wish to achieve by implementing the NAT rules on CORE1. In general it is not recommended to do such operations on core devices. Can you describe a bit more about your usecase?

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

hs08
VIP
VIP
In response to Torbjørn

‎03-20-2024 05:10 AM

Hello,

I just want to make failover to azure if ISP2 is down. On azure side there will be 2 Local Network Gateway (LNG).

LNG-1 contain subnet 10.7.0.0/16 for connection from Azure to LAN-1, then 2nd LND contain subnet 10.38.0.0/16 for connection from Azure to LAN-2. With this situation when ISP2 down, and I reroute traffic from 10.38.0.0/16 to Azure via Core 1, this will make the connection in one way connection since LNG-1 on azure not contain 10.38.0.0/16.

So what on my mind is change the source IP for 10.38.0.0/16 to subnet on LAN-1 (10.7.0.0/16) so connection can be work in two way.

0 Helpful

Torbjørn
VIP
VIP
In response to hs08

‎03-20-2024 05:31 AM - edited ‎03-20-2024 05:32 AM

Okay, that makes sense. You need to solve this in two parts: route withdrawal on FW2 and NAT on CORE1.

1. How you should withdraw the route from FW2 will depend on your specific firewall and routing protocol.

2. You can make a conditional NAT statement that achieves what you request as such:

access-list 101 permit ip host 10.38.0.0 0.0.255.255 10.200.0.0 0.0.255.255
route-map POLICY-NAT permit 10
match ip address 101

ip nat pool POLICY-NAT-POOL 10.7.100.100 10.7.100.100 prefix-length 24
ip nat inside source route-map POLICY-NAT pool POLICY-NAT-POOL overload

I think it might be a better solution to convert to a routed S2S VPN using BGP against your Azure VPN gateways. It is a bit more work, but it is less complex and I believe will give you a better and more maintainable result.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

hs08
VIP
VIP
In response to Torbjørn

‎03-20-2024 05:47 AM

I should apply on Core-1 which connected to R1, right?

0 Helpful

Torbjørn
VIP
VIP
In response to hs08

‎03-20-2024 06:14 AM

Yes, that is correct.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

MHM Cisco World
VIP
VIP
In response to Torbjørn

‎03-20-2024 08:58 AM

the route toward R1 must have high AD than route toward FW1

hs08_0-1710933067775.png

0 Helpful
Customers Also Viewed These Support Documents