Configuring double NAT to prevent asymmetric routing

balchana · June 13, 2020, 9:52am

Hi guys

I hope someone can offer me some assistance with this. Here’s the basic summary:

There are 4 datacentres, TN2 - LD3 - DCR - DCS
I have an IPSec tunnel between TN2 > DCR and LD3 > DCS
Diagram below:

Traffic routes between these tunnels back and forth and everything works fine. What I now need to do is introduce cross routing so that each datacentre can route to the other one. For instance, TN2 > DCS and LD3 > DCR. The problem I have is although I can send traffic from TN2 to DCS, it is unable to route back the same way, hence resulting in asymmetric routing.

My plan:
I’ve never done anything this advanced so would be grateful for any advice. What I’m planning to do is to double NAT incoming traffic to take the correct route back.

Let’s take TN2 to DCS as an example. I will plan to configure source NAT at TN2. Connections will come into TN2 NATed behind IP address 172.18.48.0 /24. At TN2 this IP will route through the VPN tunnel and reach DCS, where it will be NATed to 172.30.100.0/24. This is a routable range within the LAN and won’t have any problem routing back the correct way.

So specifically, I have the following NAT configured on DCS firewall - 104.223.12.142 is the outside interface:

Original Dest      NATd Dest          NATd source         peer GW
172.30.100.7      172.18.52.7        104.223.12.142      LD3
172.30.100.8      172.18.52.8        104.223.12.142      LD3
172.30.100.3      172.18.48.3        104.223.12.142      TN2
172.30.100.4      172.18.48.4        104.223.12.142      TN2

Does this make sense?

Any review (however critical) would be appreciated

lagapidis · June 15, 2020, 7:59am

Hello Baljit

Thanks for sharing your topology with us, it sounds like a very interesting challenge. The first thing I’d like to do is to focus on the problem:

When facing a specific problem, it’s a good idea to focus on that particular problem rather than trying to solve it by introducing another feature. To be specific, what I mean is, it’s a good idea to try to solve the asymmetric routing directly rather than try using NAT to solve it. Using NAT will only add to the complexity, and will cause problems in the future if you choose to make further changes or to use services and applications in your DCs that may be affected by NAT (such as VoIP for example).

Since you’re using IPSec tunnels, so even if you’re using private IP address ranges, you should be able to fix the routing so that it takes place correctly.

If you need anything more specific as far as fixing the routing goes, let us know so we can further help you troubleshoot.

I hope this has been helpful!

Laz