Sunday, January 20, 2019

Translating (NAT'ing?) outbound IP addresses.

I can add way more information if needed but I was wondering if translating outbound traffic was something that could be handled in either a Layer 3 switch or ASA (Cisco equpment)?

EDIT 1: We currently have no Layer 3 switch and one ASA 5505 with two internet circuits (P1 and P2). The circuits are from different providers and P1 is way better than P2. P1 and P2 are different IP addresses and are static. For most of our VPN tunnels, the destination supports backup peer IP configuration so if we use P2 the VPN will continue to work.

We brought on a new destination that does not support backup peer IP. To allow for any type of connectivity to this dest while using P2, we've had to set up a separate VPN with the source IP as P2. The destination side has set up a VIP on their side. Assume that we access the machines using their IPs when using P1 (10.32.83.0/27 for example). When using P2 we need to use 100.98.255.0/27 and the VIP on the dest side will "translate" that to 10.32.83.0/27.

That solution is not good for a host of reasons so we're buying another ASA and giving it P2 (existing ASA will only have P1). We're also buying a Layer 3 switch to handle the IP SLA between the two ASAs (and hence two internet circuits). My networking group is telling me that once this is installed we'll need to have the destination remove the VIP so that we'll target 10.32.83.0/27 regardless of ASA/circuit. I want to only have to target one range but I also don't want to have the destination do anything that might screw something up (they've been awful up to this point). So I was hoping to simply have the new ASA w/ P2 take anything destined for 10.32.83.0/27 and DNAT it to 100.98.255.0/27. Once the destination gets it their VIP will de-DNAT it to 10.32.83.0/27.

Or is all of this a lot more trouble than it's worth?



No comments:

Post a Comment