NAT - backwards

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

I've never actually seen this done, but I'm positive it can work - I just
can't figure out the syntax: I need to NAT two outside global addresses to
the address of a firewall on one of the LAN interfaces.

This solution is intended to support two different groups of VPN clients in
a primary/failover configuration.  The firewalls serving the VPNs apparently
don't support loopback interfaces, so the VPN clients have to be configured
with the outside IP address of the respective firewalls.  I can't just NAT
all the traffic going through to the firewall because it supports other
services.  After going over several possibilities, the only solution I can
think of is to allocate two host addresses, call them PrimA and PrimB (PrimA
used by clients using site A as their primary, PrimB used by B site
clients), and NAT both of them at their respective sites to their respective
firewalls' outside IP addresses:

(All IP addresses are public, I.e. non-rfc1918, but I use rfc1918 here as
examples)

AWAN intfc 172.16.1.2/30
ALAN intfc 10.1.1.1/28
AFirewall 10.1.1.2/28

BWAN intfc 172.16.2.2/30
BLAN intfc 10.1.2.1/28
BFirewall 10.1.2.2/28

PrimA 192.168.1.1
PrimB 192.168.2.1

I want to NAT both 192.168.1.1 and 192.168.2.1 to the firewall's outside IP
address:

ASite: 192.168.1.1 and 192.168.2.1 both NAT to 10.1.1.2

BSite: 192.168.1.1 and 192.168.2.1 both NAT to 10.1.2.2

Is this so simple I can't see it?  Or is this a potential hornets nest?  I'm
having a serious mental block here, I'm sure it's not difficult but I can't
figure it out.

TIA for any assistance!!

m j tierney


Site Timeline