I hope someone can offer me some assistance with this. Here’s the basic summary:
There are 4 datacentres, TN2 - LD3 - DCR - DCS
I have an IPSec tunnel between TN2 > DCR and LD3 > DCS
Traffic routes between these tunnels back and forth and everything works fine. What I now need to do is introduce cross routing so that each datacentre can route to the other one. For instance, TN2 > DCS and LD3 > DCR. The problem I have is although I can send traffic from TN2 to DCS, it is unable to route back the same way, hence resulting in asymmetric routing.
I’ve never done anything this advanced so would be grateful for any advice. What I’m planning to do is to double NAT incoming traffic to take the correct route back.
Let’s take TN2 to DCS as an example. I will plan to configure source NAT at TN2. Connections will come into TN2 NATed behind IP address 172.18.48.0 /24. At TN2 this IP will route through the VPN tunnel and reach DCS, where it will be NATed to 172.30.100.0/24. This is a routable range within the LAN and won’t have any problem routing back the correct way.
So specifically, I have the following NAT configured on DCS firewall - 126.96.36.199 is the outside interface:
Original Dest NATd Dest NATd source peer GW 172.30.100.7 172.18.52.7 188.8.131.52 LD3 172.30.100.8 172.18.52.8 184.108.40.206 LD3 172.30.100.3 172.18.48.3 220.127.116.11 TN2 172.30.100.4 172.18.48.4 18.104.22.168 TN2
Does this make sense?
Any review (however critical) would be appreciated