Bit of a long brief, I know but...
I'm doing a feasibility study for offloading some of our servers to a datacentre, with DR at a second datacentre. We have some infrastructure already in place at these sites (namely, a ASA5510 and C2960 at each) and would like to configure these for inbound VPN access from our site. We are not expecting fully automatic failover to the secondary site, but I would like to minimise the required config, should a DR situation occur.
Given the primary centre's LAN range is 172.a.1.0/24 and the secondary is 172.b.1.0/24 (with peers 80.a.a.a and 80.b.b.b, respectively), my thoughts are to establish two standard VPN tunnels from our local ASA5505 (peer 62.x.x.x, LAN 192.168.x.0/24), so I can access both sites independently.
Additionally, to facilitate the minimal config requirement, I think it should be reasonable to establish a single tunnel to the primary peer via an arbitrary third LAN range (192.168.y.0/24) and have the primary site's ASA5510 do a one-to-one translation of 192.168.y.0/24 to 172.a.1.0/24. In the case of DR, I'd swap this tunnel's peer to that of the secondary site and configure the second site to translate 192.168.y.0/24 to 172.b.1.0/24. If our local DNS server mapped the server names to the 192.168.y.0/24 addresses, our local nodes shouldn't be any of the wiser, in the event of a DR.
My question is, is this inside NAT feasible with an ASA5510? I'm certain it should be but I do not have the funds secured for an adequate test rig. Also, I'm reasonably familiar with static, global and nat commands (in a copy/paste capacity on my outside interface) but I'm having trouble picturing it; can someone get me started?
J.
Start Free Trial
