NAT over 2 VPN Connections

Question

See the image below for the layout. Users behind the Meraki firewall need to reach the server behind the ASA firewall by traversing the Site2Site network between the Meraki and XG, then over the Site2Sit between the XG and ASA. 
 We know it's possible if we include the Meraki LAN in the config between the XG and ASA, but we would like to avoid that, if possible, for several reasons. 
 I tried setting up NAT based on these instructions: 
 https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SiteToSiteVPN/HowToArticles/S2sVPNIPsecCreateIPsecRouteNAT/index.html 
 In my case, instead of the remote network needing to reach the Head Office DMZ, it needs to reach a network that is across another Site2Site VPN, but it's not working. Maybe I set something up wrong or maybe it won't work because there are 2 VPN connections involved?

Sreenivasulu Naidu · Answer

With policy based VPN, on SFOS, LAN traffic of Meraki coming into SFOS over VPN will go through ipsec0 interface (this is a pseudo interface used for routing the trafic into another port). On ipsec0 interface, I don't think there is any way to apply NAT rules (on UI) or ipsec_route command (using CLI) to instruct changing the source IP or destination IP to ip of LAN behind ASA. 
 
 With Route based VPN, assuming you use route based VPN on Meraki and on ASA, it is straight forward and no NAT'ing required: 
 * Establish route based VPN between Meraki and SFOS, and from SFOS to ASA with traffic selectors as Any/Any (Any/Any is with reference to SFOS, you can use equivalent of it on Meraki and ASA). 
 * On SFOS, add an ip to xfrm interface towards Meraki and towards ASA; similarly, equivalent configs to be done on Meraki and ASA. 
 * Add static route on Meraki to reach LAN of ASA via the interface on Meraki that is equivalent of xfrm on SFOS. I am not sure what is the equivalent of xfrm on Meraki. 
 * Add static routes on SFOS separately to reach LAN of Meraki and LAN of ASA via corresponding xfrm interfaces. 
 * Add static route on ASA to reach LAN of Meraki via tunnel interface (or the equivalent of xfrm interface on ASA). 
 * Now, LAN of Meraki should be able to reach LAN of ASA or vice-versa. 
 If you are not able to pass traffic via route based VPN, please refer some of the documents available over Internet related to this.

NAT over 2 VPN Connections

Top Replies