Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
840
Views
0
Helpful
3
Replies

Configuring source and destination NAT to resolve assymetric routing

BHconsultants88
Level 1
Level 1

‎06-13-2020 02:59 AM

Hi guys

 

I hope someone can offer me some assistance with this. Here's the basic summary:

There are 4 datacentres, TN2 - LD3 - DCR - DCS
I have an IPSec tunnel between TN2 > DCR and LD3 > DCS

 

Diagram attached.

 

Traffic routes between these tunnels back and forth and everything works fine. What I now need to do is introduce cross routing so that each datacentre can route to the other one. For instance, TN2 > DCS and LD3 > DCR. The problem I have is although I can send traffic from TN2 to DCS, it is unable to route back the same way, hence resulting in asymmetric routing.

 

My plan:
I've never done anything this advanced so would be grateful for any advice. What I'm planning to do is to double NAT incoming traffic to take the correct route back.

 

Let's take TN2 to DCS as an example. I will plan to configure source NAT at TN2. Connections will come into TN2 NATed behind IP address 172.18.48.0 /24. At TN2 this IP will route through the VPN tunnel and reach DCS, where it will be NATed to 172.30.100.0/24. This is a routable range within the LAN and won't have any problem routing back the correct way.

 

Specifically, I have the following NAT configured on DCS firewall - 104.223.12.142 is the outside interface:

 

Original Dest       NATd Dest        NATd source          peer GW
172.30.100.7     172.18.52.7      104.223.12.142     LD3
172.30.100.8     172.18.52.8      104.223.12.142     LD3
172.30.100.3     172.18.48.3      104.223.12.142     TN2
172.30.100.4     172.18.48.4      104.223.12.142     TN2

 

Does this make sense?

 

Any review (however critical) would be appreciated

 

Labels:
Preview file
53 KB
0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎06-13-2020 07:34 AM

I am not entirely sure I understand what you are trying to do here.  From your diagram it looks as though you have two sets of VPN from TN2 and LD3?  Are the tunnels from TN2 to DCS and LD3 to DCR new tunnels that you are setting up?

What is the result you are trying to achieve?  That resources behind TN2 are reachable from DCS and resources behind LD3 are reachable from DCR?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

BHconsultants88
Level 1
Level 1
In response to Marius Gunnerud

‎06-13-2020 12:39 PM

Hi Marius

 

I knew I didn't make it clear. The two vertical tunnels are already in place but I want to add the diagonal ones

 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to BHconsultants88

‎06-14-2020 02:48 AM

So, are TN2 and LD3 two different paths to the same network or do they just happen to use the same IP subnet?

Either way you would set up the site 2 site VPNs as normal and in the crypto ACL the source would be 104.223.12.142 and destination (for TN2) would be 172.18.48.3 and .4), while LD3 would have destinations of 172.18.52.7 and .8.

 

Also, are you using static or dynamic routing between your DCR and DCS and the networks they connect to?  From the diagram it looks like the firewalls at these two locations are connected via fiber (I cannot read what is in the diagram since when I zoom in the words do not render well.)

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents