We are looking to move our production environment to a new DC and as usual our 3rd Party VPNs will not be in place at the new DC by the time we move. This means I will be doing some jiggerypockerywhatjamacallit NAT and VPN kludge to get things working. I just wanted to see if anyone has done anything like this before.
I have a S2S VPN between the 2 DC's and will route the traffic from the new DC to the old DC to then use the current 3rd Party VPNs we have set up in the current DC. I will use intra-interface command as the traffic comes in on the outside interface and will go back out of the same interface - as the packet doesn't traverse the firewall and I need to source NAT the packets is that possible? I have to make the packet look like it is coming from the current DC as the 3rd Party VPNs cannot be changed in time either so I have to kludge the source. All of this is using private IP address ranges too.
If I can NAT (outside,outside) real IP to the source of an IP the VPN is expecting to encrypt I might just be able to pull this kludge off.
So you are saying that you have an L2L VPN between 2 of your sites.
On the original site you also have some other VPN setups? Are these terminated on the ASA "outside" also or do you have some separate VPN device on the original site that handles the other VPNs?
The easiest way would probably be to see some current configurations to get a better idea of the setup and the needed configurations.
Especially when NAT is concerned, the software level of the ASA matters a lot.
If I understood you correctly you would want to NAT the VPN users so that they are visible to the new site from a source address already configured on the L2L VPN connection?
I would personally suggest adding some additional NAT network and adding it to the L2L VPN to avoid any kind of overlapping. Naturally if you are doing some kind of NAT/PAT between the old and new site already on the L2L VPN then this will be alot easier. I just presume that you are doing NAT0 as thats the most common practice
Jouni - Hi seems your my personal expert
Basically an application in DC2 needs to talk to a 3rd party over a L2L VPN from DC1 to 3rd Party and look like it is coming from DC1. It is a messy solution but until I have the 3rd Party VPN solutions in DC2 (probably a couple more weeks due to 3rd Party - I have our end ready to go) and we are moving sites this weekend. Not sure why it has to happen so quickly but that's what the customer wants.
Unfortunately I have no test environment and cannot look at configuring this until Sunday as it is in a production environment which is currently using the DC1 source addresses. I will have a small window of opportunity on Sunday to see if I can get it to work and if not the whole project will be backed out. The customer is aware of how delicate the situation is with this configuration and obviously they don't want to back out so pressure is on.
I guess I will just have to try and see on Sunday if I can get a working solution. As the DC1-2-DC2 VPN and DC1-2-3rd Party VPN both terminate on the same firewall (happens to be a pix running version 7.2 (I have yet another project to upgrade those to ASA's when I am given the chance)). I thought the intra-interface option for the outside interface would cover that but wasn't sure if I could NAT the source on that interface too as the packet never actually traverses the firewall.
DC2 DC1 3rd Party
Server (DC2 IP) ---
I will see if I can get it working on Sunday
Basically would need to know if the DC1 to 3RD PARTY L2L VPN is using NAT0 between the local and remote network OR if its using some kind of Dynamic NAT/PAT.
The ideal situation would be if the DC1 to 3RD PARTY L2L VPN was using a Dynamic NAT or PAT configuration. Then atleast it should be possible configure the DC1 and DC2 to share the IP addresses visible to the 3RD PARTY site.
If you are currently using NAT0 then I am not sure how it will work. I have not tested that setup myself.
In the middle of trying this and hit the IPSEC spoof error as it lookslike an IP address that is on the inside of the firewall is the one we are NETing to on the outside interface:
IPSEC Spoof detected
This counter will increment when the security appliance receives a packet which should have been encrypted but was not. The packet matched the inner header security policy check of a configured and established IPSec connection on the security appliance but was received unencrypted. This is a security issue.
We managed to get one of our third parties to get the new VPN done and that works fine but the 2 others we didn't manage to get moved in time. I did inform the client that I wouldn't know if this would work and although it does all the NATing across the DC-2-DC link I then hit the IPSEC Spoof issue.
We tried - they are now going to plan C..... waiting on the other 3rd parties to set up their VPNs later.
Thanks for your help with this.
I guess the problem for the most part the fact that the original L2L VPN configurations to the 3rd party sites were using the original LAN network as the source address coupled with the NAT0 configurations on original DC.
Is the source network/subnet for the L2L VPN connections large or is it perhaps some single /24 subnet?
To be honest, would have to see the configurations to be able to even try to test this setup.
I think the last time I have gotten IPsec Spoof messages when ages ago I was trying to use the "packet-tracer" command to simulate traffic coming from the outside to check L2L VPN rules. Naturally that didnt work and I think the result was that the "packet-tracer" failed with the reason IPsec spoof.
Hi, what are you doing replying on a Sunday - Yes the local subnets on the firewall are still used for other services and this particular device is a .2 on a /24. The 3rd party VPN can't be changed as that takes longer than getting the new VPNs in and that's taken more than 4 weeks - no idea why it takes these guys so long to set up a simple L2L VPN which would have meant none of this messing around - the client decided to move to Plan C so no need to worry about it any more. My next task will be to get the new VPNs working hopefully next week... Thanks again for your time though it is very much appreciated as I am the only network resource we have so nobody to bouce ideas off of. Take it easy.
Well I got automatic notifications to my email when new posts are made to Firewall and VPN sections of the forums and I am quite often on the computer. Depending if I know or might know the answer I usually reply since it usually takes a minute or two.
Also reading some Cisco certification books at the moment so writing feels almost like a break from the reading
Hope you get the setup sorted
Good luck on the reading - I am looking to sit the CCNP Secuirty VPN exam in a couple of weeks. Things like this just make my head spin - I need a test environment at home I am sure I would have been on my PC at home if I wasn't here - my 6 year old son shows me how to do stuff better than me these days.
I just decided a couple of months ago that I would start going for the certifications. So I am just starting with the CCNA R&S.
I never enjoyed the type of exam we had on the Cisco Networking Academy. Having questions that try more to misslead you than perhaps ask you the question clearly. Everything being multiple choice questions. I prefer being asked a question and answering it in writing than tagging some box.
I'd imagine I will try to go CCNA R&S -> CCNA Security -> CCNP Security and perhaps after that CCNP R&S as those are the areas more close to my everyday work.
Will have to see how it will go.
Yeah I am not a fan of exams - I have a lot of years experience behind me working mainly in the financial world so managed to get my hands of a lot of good kit over the years - just built 2 DC's using Nexus 7Ks and 5Ks using VDC's VPC's VRF's etc... all good stuff. Then you get to work for a company that has been built badly and having to reengineer production enviroments with no test environment. I have seen both ends of the spectrum now I am contracting Good luck with the exams though I have a feeling you'll fly through them no problem at all. I am getting a bit old these days so doubt I'll go further than CCNP Security I maybe need to change career I can't do anything else though.
I am sure I'll catch up with you again on the forums.
Thanks again for your reply - we are doing no-nat on the DC1 to 3rd Party VPN. this is why i can't test this until Sunday as the real IP addresses are in constant use but I will have a window where we will switch those off so I can look at source NAT from the DC2 IP addresses. I raised this issue in our meeting today and now management is going to be putting the pressure on the 3rd Parties to get the VPNs in by the weekend in DC2. Fingers crossed I wasn't around in the days when the original 3rd Party VPNs were set-up so having to deal with what I have here.
No worries thanks again for responding though. I will make up a test source NAT for outside to outside and see if packet trace lets it through it would be one less thing to worry about.