I've never actually seen this done, but I'm positive it can work - I just can't figure out the syntax: I need to NAT two outside global addresses to the address of a firewall on one of the LAN interfaces.
This solution is intended to support two different groups of VPN clients in a primary/failover configuration. The firewalls serving the VPNs apparently don't support loopback interfaces, so the VPN clients have to be configured with the outside IP address of the respective firewalls. I can't just NAT all the traffic going through to the firewall because it supports other services. After going over several possibilities, the only solution I can think of is to allocate two host addresses, call them PrimA and PrimB (PrimA used by clients using site A as their primary, PrimB used by B site clients), and NAT both of them at their respective sites to their respective firewalls' outside IP addresses:
(All IP addresses are public, I.e. non-rfc1918, but I use rfc1918 here as examples)
AWAN intfc 172.16.1.2/30 ALAN intfc 10.1.1.1/28 AFirewall 10.1.1.2/28
BWAN intfc 172.16.2.2/30 BLAN intfc 10.1.2.1/28 BFirewall 10.1.2.2/28
PrimA 192.168.1.1 PrimB 192.168.2.1
I want to NAT both 192.168.1.1 and 192.168.2.1 to the firewall's outside IP address:
ASite: 192.168.1.1 and 192.168.2.1 both NAT to 10.1.1.2
BSite: 192.168.1.1 and 192.168.2.1 both NAT to 10.1.2.2
Is this so simple I can't see it? Or is this a potential hornets nest? I'm having a serious mental block here, I'm sure it's not difficult but I can't figure it out.
TIA for any assistance!!
m j tierney