Jouni - Hi seems your my personal expert

Basically an application in DC2 needs to talk to a 3rd party over a L2L VPN from DC1 to 3rd Party and look like it is coming from DC1. It is a messy solution but until I have the 3rd Party VPN solutions in DC2 (probably a couple more weeks due to 3rd Party - I have our end ready to go) and we are moving sites this weekend. Not sure why it has to happen so quickly but that's what the customer wants.

Unfortunately I have no test environment and cannot look at configuring this until Sunday as it is in a production environment which is currently using the DC1 source addresses. I will have a small window of opportunity on Sunday to see if I can get it to work and if not the whole project will be backed out. The customer is aware of how delicate the situation is with this configuration and obviously they don't want to back out so pressure is on.

I guess I will just have to try and see on Sunday if I can get a working solution. As the DC1-2-DC2 VPN and DC1-2-3rd Party VPN both terminate on the same firewall (happens to be a pix running version 7.2 (I have yet another project to upgrade those to ASA's when I am given the chance)). I thought the intra-interface option for the outside interface would cover that but wasn't sure if I could NAT the source on that interface too as the packet never actually traverses the firewall.

DC2                                             DC1                                                                     3rd Party
------------------------------------------------------------------------------------------------------------------------------------------

Server (DC2 IP) ------ (outside) PIX (outside) (Source NAT to have DC1 IP address) ---<3rd Party VPN>--- 3RD Party firewall - (Destination server)

I will see if I can get it working on Sunday

Z

Hi,

Basically would need to know if the DC1 to 3RD PARTY L2L VPN is using NAT0 between the local and remote network OR if its using some kind of Dynamic NAT/PAT.

The ideal situation would be if the DC1 to 3RD PARTY L2L VPN was using a Dynamic NAT or PAT configuration. Then atleast it should be possible configure the DC1 and DC2 to share the IP addresses visible to the 3RD PARTY site.

If you are currently using NAT0 then I am not sure how it will work. I have not tested that setup myself.

- Jouni

Jouni,

In the middle of trying this and hit the IPSEC spoof error as it lookslike an IP address that is on the inside of the firewall is the one we are NETing to on the outside interface:

We managed to get one of our third parties to get the new VPN done and that works fine but the 2 others we didn't manage to get moved in time. I did inform the client that I wouldn't know if this would work and although it does all the NATing across the DC-2-DC link I then hit the IPSEC Spoof issue.

We tried - they are now going to plan C..... waiting on the other 3rd parties to set up their VPNs later.

Thanks for your help with this.

Z

Hi,

I guess the problem for the most part the fact that the original L2L VPN configurations to the 3rd party sites were using the original LAN network as the source address coupled with the NAT0 configurations on original DC.

Is the source network/subnet for the L2L VPN connections large or is it perhaps some single /24 subnet?

To be honest, would have to see the configurations to be able to even try to test this setup.

I think the last time I have gotten IPsec Spoof messages when ages ago I was trying to use the "packet-tracer" command to simulate traffic coming from the outside to check L2L VPN rules. Naturally that didnt work and I think the result was that the "packet-tracer" failed with the reason IPsec spoof.

- Jouni

Jouni,

Hi, what are you doing replying on a Sunday - Yes the local subnets on the firewall are still used for other services and this particular device is a .2 on a /24. The 3rd party VPN can't be changed as that takes longer than getting the new VPNs in and that's taken more than 4 weeks - no idea why it takes these guys so long to set up a simple L2L VPN which would have meant none of this messing around - the client decided to move to Plan C so no need to worry about it any more. My next task will be to get the new VPNs working hopefully next week... Thanks again for your time though it is very much appreciated as I am the only network resource we have so nobody to bouce ideas off of. Take it easy.

Z

Well I got automatic notifications to my email when new posts are made to Firewall and VPN sections of the forums and I am quite often on the computer. Depending if I know or might know the answer I usually reply since it usually takes a minute or two.

Also reading some Cisco certification books at the moment so writing feels almost like a break from the reading

Hope you get the setup sorted

- Jouni

Jouni,

Good luck on the reading - I am looking to sit the CCNP Secuirty VPN exam in a couple of weeks. Things like this just make my head spin - I need a test environment at home I am sure I would have been on my PC at home if I wasn't here - my 6 year old son shows me how to do stuff better than me these days.

Z

I just decided a couple of months ago that I would start going for the certifications. So I am just starting with the CCNA R&S.

I never enjoyed the type of exam we had on the Cisco Networking Academy. Having questions that try more to misslead you than perhaps ask you the question clearly. Everything being multiple choice questions. I prefer being asked a question and answering it in writing than tagging some box.

I'd imagine I will try to go CCNA R&S -> CCNA Security -> CCNP Security and perhaps after that CCNP R&S as those are the areas more close to my everyday work.

Will have to see how it will go.

- Jouni

Yeah I am not a fan of exams - I have a lot of years experience behind me working mainly in the financial world so managed to get my hands of a lot of good kit over the years - just built 2 DC's using Nexus 7Ks and 5Ks using VDC's VPC's VRF's etc... all good stuff. Then you get to work for a company that has been built badly and having to reengineer production enviroments with no test environment. I have seen both ends of the spectrum now I am contracting Good luck with the exams though I have a feeling you'll fly through them no problem at all. I am getting a bit old these days so doubt I'll go further than CCNP Security I maybe need to change career I can't do anything else though.

I am sure I'll catch up with you again on the forums.

Jouni,

Thanks again for your reply - we are doing no-nat on the DC1 to 3rd Party VPN.  this is why i can't test this until Sunday as the real IP addresses are in constant use but I will have a window where we will switch those off so I can look at source NAT from the DC2 IP addresses. I raised this issue in our meeting today and now management is going to be putting the pressure on the 3rd Parties to get the VPNs in by the weekend in DC2. Fingers crossed I wasn't around in the days when the original 3rd Party VPNs were set-up so having to deal with what I have here.

No worries thanks again for responding though. I will make up a test source NAT for outside to outside and see if packet trace lets it through it would be one less thing to worry about.

Thanks again,

Z