09-02-2010 01:49 AM
Dear all ,
Consider 3 locations head office , branch office and canada .(rough network diagram is attached)
Head office
In head office i am having one /30 public ip and one /29 ip pool + 3 routers
R2 is internet router , R3 and R4 are DM VPN routers (all 300 branches are connected to these two )
Branch office
I am having 300 branch offices all using DMVPN and routing protocol as OSPF
Canada
All my Ecommerce servers are located here
Required solution
1.ALL branches should access e commerce server's through HO
2. establish a vpn tunnel between HO and canada (e commerce server loc)
3.All branch IP should be nated to a public ip and forwarded to vpn tunnel
4. IPSEC tunnel will allow only one public IP - another public IP communication
Please somebody suggest me how can i achive this / where can i terminate the Canada VPN tunnel /do i need a third device to achive this.
09-02-2010 04:18 PM
I think you can terminiate VPN from ecommerce site on R2.
on R2, configure NAT to nat all branch office IP to a public IP.
You need to use the public IP in the ACL for the VPN tunnel between HO and ecommerce site.
Setup the routing between R2, R3 and R4 accordingly.
It should fix your request.
09-02-2010 07:42 PM
Thank you verymuch for your valuable suggession Yudong
Could you please clarify my below queries
09-02-2010 09:14 PM
Answer in line
[Wu] It won't be NATed if they come into and go out on the same interface.
Could you please explain why you would like to NAT those branch IP?
[Wu] I think it should be Ok. After the packet is decrypted, the destination IP 1.1.1.4 should be nat-ed back to the branch IP and then be forwarded based on routing table. But I did not implement the same before. I would like to suggest you to run a testing in the lab.
09-03-2010 04:14 AM
Thank yo u again Yudong
What do you suggest i am terminating VPN on R2 router , But the problem is that in R2 router both interface is having public IP address and the router is working on routing mode. But where can i do NAT ing (BR IP's to public IP's)
If i am introducing a new router router will this solve all complications
Kindly suggest me a solution.
09-03-2010 08:58 AM
I don't mind if you would like to add one more router.
It does not matter if both port on R2 has public IP. You can always do the NAT on R2.
Saying you have S0 and E0 interface R2, S0 is configured as "ip nat outside" and E0 is configured as "ip nat inside". When the packet from branch site to ecommerce server is routed to E0 interface of R2, they match the NAT rule which you defined and then the source IP (branch IP) will be nat-ed.
If you add one more router, saying R5, you can place it at the similar way as R3 and R4 and move all of your branch tunnel which are terminated on R2 to this new router. So on R3, R4 and R4, you will need a route entry to forward all traffic from the brach to e-server to E0 interface of R2. They will be nat-ed there.
Again, I don't know why you would like to NAT all those branch IPs.
09-04-2010 01:03 AM
I believe you didn't get my question correctly. will explain again with the attached diagram
My existing network consist of R2,R3,R4, core switch and 300 branches (starting from 192.168.1.x --- 192.168.254.x ) . My new requirement is to establish a new VPN tunnel to Canada to access E com sites.
But my problem is that Canada guys will allow only one IP address (public) through the tunnel. so i am forced to nat all branch ip to a single public IP and that has to be forwarded through ( eg -- VPN ACL will permit only 1.1.1.4 to 3.3.3.3 , 1.1.1.4 is my nated IP address )
Please suggest me where can i terminate VPN to achive my requirments .
09-04-2010 07:23 AM
I do understand you reqirement.
The only thing which I don't know is why you would like to PAT the branch IP, which you did not explain until your last post.
The other thing is that you mentioned in your first post.
"R2 is internet router , R3 and R4 are DM VPN routers (all 300 branches are connected to these two )"
So, based on the above statement, I assume that there is no VPN terminated on R2.
But later on, you said "arround 100 branches are connected to R2 as well".
My question to you is
1. On R2, do you have 3 active interfaces? two of them have public IP and are facing to the internet and the other one has private IP and is used for internal network?
2. If yes, are those 100 branches terminated on one of the interfaces with publich IP and the other public IP interface is used for internet connection?
Since you can only NAT-to one IP, NAT has to be configured on the router where ecommerce VPN is terminated.
Regarding to where ecommerce VPN can be terminated, you can use R2 if
- no branch VPN is terminated on R2
OR
- there are branch VPN terminated on R2 but you can use a different interface to terminate ecommerce VPN.
(if both VPN are terminated on the same interface, you can not NAT the IP)
Otherwise, you have to add a new router as I stated previously.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: