I hope someone can offer me some assistance with this. Here's the basic summary:
There are 4 datacentres, TN2 - LD3 - DCR - DCS
I have an IPSec tunnel between TN2 > DCR and LD3 > DCS
Traffic routes between these tunnels back and forth and everything works fine. What I now need to do is introduce cross routing so that each datacentre can route to the other one. For instance, TN2 > DCS and LD3 > DCR. The problem I have is although I can send traffic from TN2 to DCS, it is unable to route back the same way, hence resulting in asymmetric routing.
I've never done anything this advanced so would be grateful for any advice. What I'm planning to do is to double NAT incoming traffic to take the correct route back.
Let's take TN2 to DCS as an example. I will plan to configure source NAT at TN2. Connections will come into TN2 NATed behind IP address 172.18.48.0 /24. At TN2 this IP will route through the VPN tunnel and reach DCS, where it will be NATed to 172.30.100.0/24. This is a routable range within the LAN and won't have any problem routing back the correct way.
Specifically, I have the following NAT configured on DCS firewall - 220.127.116.11 is the outside interface:
Original Dest NATd Dest NATd source peer GW
172.30.100.7 172.18.52.7 18.104.22.168 LD3
172.30.100.8 172.18.52.8 22.214.171.124 LD3
172.30.100.3 172.18.48.3 126.96.36.199 TN2
172.30.100.4 172.18.48.4 188.8.131.52 TN2
Does this make sense?
Any review (however critical) would be appreciated
I am not entirely sure I understand what you are trying to do here. From your diagram it looks as though you have two sets of VPN from TN2 and LD3? Are the tunnels from TN2 to DCS and LD3 to DCR new tunnels that you are setting up?
What is the result you are trying to achieve? That resources behind TN2 are reachable from DCS and resources behind LD3 are reachable from DCR?
So, are TN2 and LD3 two different paths to the same network or do they just happen to use the same IP subnet?
Either way you would set up the site 2 site VPNs as normal and in the crypto ACL the source would be 184.108.40.206 and destination (for TN2) would be 172.18.48.3 and .4), while LD3 would have destinations of 172.18.52.7 and .8.
Also, are you using static or dynamic routing between your DCR and DCS and the networks they connect to? From the diagram it looks like the firewalls at these two locations are connected via fiber (I cannot read what is in the diagram since when I zoom in the words do not render well.)