Re: vpn and nat

bluesea2010 · ‎08-02-2021

Hi,

I have the above setup, and the site-to-site VPN is running. The load balancer is peplink .

if in case of any link failure or for load sharing (outbound )the traffic is going through r2 to isp2.

(load balancer NAT the traffic from 1.1.1.1 to 2.2.2.2 )

My question in site to site VPN, can I send the outbound traffic to through R2

Thanks

Rob Ingram · ‎08-02-2021

@bluesea2010

Your design is not clear, what devices is the VPN between, the FW and R2?

You can tunnel internet traffic through a VPN, the destination network needs to be "any". In your scenario a LB between VPN endpoints will not nat the encrypted traffic inside the VPN tunnel. You would have to nat on the FW or router.

bluesea2010 · ‎08-02-2021

Hi,

I will try to clarify

FW is asa . NAT is also enabled on ASA. there is the site to site VPN is running between 1.1.1.1 and 5.5.5.5

My question can I route the outbound traffic from 1.1.1.1 to 5.5.5.5 through R2 and ISP2

The device in-between r2 AND FW will NAT 1.1.1.1 to 2.2.2.2

( Since we don't have our own public IP we are using the above-mentioned device to load share the traffic between ISP 1 and ISP 2 )

Thanks

Rob Ingram · ‎08-03-2021

@bluesea2010

Yes you can nat, assuming NAT Traversal is enabled (it is default on most devices) and the peer device at the remote site is configured to establish a tunnel with both IP addresses.

bluesea2010 · ‎08-03-2021

Hi,

Can I create a tunnel between ASA and the remote site by using the ip 2.2.2.2 and 5.5.5.5

asa Outside interface ip is 1.1.1.1

If it possible I can create another tunnel between ASA and remote through ISP2

Thanks

the ASA outside interface IP Is 1.1.1.1

Rob Ingram · ‎08-03-2021

@bluesea2010

Well the remote peer device (5.5.5.5) will have to establish a tunnel to 2.2.2.2, as you said the ASA doesn't have a public IP address. The LB will in turn will untranslate and route to the ASA on 1.1.1.1 and a tunnel established.