[babbtong]

Hi, I searched the forum but the other topics seem a bit different. We have a Cisco 2800 router, and 2 WAN links, a FIOS connection and a T1 multilink. The FIOS is connected to our router via an unmanaged switch, and the T1's are connected via serial port. We are using route-map ISP along with SLA and a default route with higher administrative distance to have the connection failover from FIOS, our primary, to the T1s. We also have a VPN tunnel set up with our remote office, using an ASA5520 on both sides. Our primary VPN tunnel is ok, but we are trying to configure the a secondary tunnel so that if our connection fails over, the tunnel will as well. I am trying to figure out what IP address to give to our remote site for the tunnel group. Our infrastructure is:

T1/FIOS -> Router -> Firewall -> Core Switch.

The interface on the firewall that is connected to the router has the IP 10.10.2.2, and is NATed to the IP address that we use for our primary tunnel. Do I have to NAT an IP from the T1 IP block to an internal interface, and if so, which interface do I use? I don't think I can NAT an interface twice, can I?

Sorry if this is confusing, I've taken ICND 1+2 classes, but have yet to pass the exams/learn much more than that, so I'm basically teaching myself as I go. I've inherited a mess from the previous systems admin, so I'm trying to figure the network out, but I can attach a diagram if that would help

[auglan]

This may help you out. Your situation is a little different as your ASA's are not at the edge but you should be able to piece together a working configuration. The issue your going to have is that you cant have 2 static's nat's going to the same internal ip address (ambiguous) as the ASA would never know which one to use. I know as of ASA 8.3 and above, it does support one to many static nat,so you may want to look at that as well. It may be possible to throw a switch in between the router and ASA, then if you have a free interface on the ASA configure an internal ip in a separate subnet and then do the same on the router as well. (So this would require a free ethernet interface on both the ASA and router) Another solution would be to terminate the vpn's on the router itself, then you wouldn't have to worry about nat at all.


https://supportforums.cisco.com/comm...dant-isp-links

[babbtong]

Thanks, I'm not sure why we use the ASA instead of the routers for terminating the VPN. I need to look into the pros and cons of each and see what it's about. I tried accessing that link, but I get the error message "It appears you're not allowed to view what you requested. You might contact your administrator if you think this is a mistake."

If I configure the switch between the router and ASA, I would not have to do any more configuration besides the interfaces, correct? Because the packets are getting sent from the inside network to the router through the 10.10.2.2 interface, but this doesn't matter since the router would then route the traffic to the internet based on the routing rules set up by route-map and the other commands? And, when the tunnel is set up and communicating over the T1 router/switch/ASA interface, the firewall has routing tables for the internal IPs, so as long as the packets can get sent to the ASA, it should route correctly right?

Thanks for your help, it's really appreciated while I try to wrap my brain around this

[auglan]

Yeah that link isn't working for some reason. It was working last night though. I would have a look at the configuration guide for the ASA model/Code version you are using as it may offer some configuration examples.