Showing results for 
Search instead for 
Did you mean: 

Configuring source and destination NAT to resolve assymetric routing

Hi guys


I hope someone can offer me some assistance with this. Here's the basic summary:

There are 4 datacentres, TN2 - LD3 - DCR - DCS
I have an IPSec tunnel between TN2 > DCR and LD3 > DCS


Diagram attached.


Traffic routes between these tunnels back and forth and everything works fine. What I now need to do is introduce cross routing so that each datacentre can route to the other one. For instance, TN2 > DCS and LD3 > DCR. The problem I have is although I can send traffic from TN2 to DCS, it is unable to route back the same way, hence resulting in asymmetric routing.


My plan:
I've never done anything this advanced so would be grateful for any advice. What I'm planning to do is to double NAT incoming traffic to take the correct route back.


Let's take TN2 to DCS as an example. I will plan to configure source NAT at TN2. Connections will come into TN2 NATed behind IP address /24. At TN2 this IP will route through the VPN tunnel and reach DCS, where it will be NATed to This is a routable range within the LAN and won't have any problem routing back the correct way.


Specifically, I have the following NAT configured on DCS firewall - is the outside interface:


Original Dest       NATd Dest        NATd source          peer GW     LD3     LD3     TN2     TN2


Does this make sense?


Any review (however critical) would be appreciated


Marius Gunnerud
VIP Advisor

I am not entirely sure I understand what you are trying to do here.  From your diagram it looks as though you have two sets of VPN from TN2 and LD3?  Are the tunnels from TN2 to DCS and LD3 to DCR new tunnels that you are setting up?

What is the result you are trying to achieve?  That resources behind TN2 are reachable from DCS and resources behind LD3 are reachable from DCR?

Please remember to select a correct answer and rate helpful posts

Hi Marius


I knew I didn't make it clear. The two vertical tunnels are already in place but I want to add the diagonal ones


So, are TN2 and LD3 two different paths to the same network or do they just happen to use the same IP subnet?

Either way you would set up the site 2 site VPNs as normal and in the crypto ACL the source would be and destination (for TN2) would be and .4), while LD3 would have destinations of and .8.


Also, are you using static or dynamic routing between your DCR and DCS and the networks they connect to?  From the diagram it looks like the firewalls at these two locations are connected via fiber (I cannot read what is in the diagram since when I zoom in the words do not render well.)

Please remember to select a correct answer and rate helpful posts
Content for Community-Ad