Bit of a real world scenario that I'm currently working on, but need to pick brains about why I've had to do what I've done.
Scenario is that I have a router in a DMZ performing IPSEC VPN to a 3rd party. This is to act as a backup service in the event of my primary frame-relay service dying a death. My new router sits in a separate DMZ to my internet so is essentially a router on a stick. A key requirement is to perform some monitoring over the VPN service and to alert in the event the remote end server that we need to access goes down. Other issue is that I need to PAT all traffic behind an IP, as provided by the 3rd party. So far so good. My configuration is as follows - 1. I've configured my one interface with NVI capability (ip nat enable) 2. I've configured my IPSEC VPN tunnel 3. I've configured my PAT 4. I've configured my IP SLA to monitor the end point and send a SNMP trap Now - points 1 - 3 all work very well. My machines/devices in other subnets can route to the LAN on the other of VPN tunnel and they get nat'd. My issues comes with the IP SLA. My IP SLA uses a loopback as the source of the ICMP echos to my remote server, but the traffic is NEVER natd. I understand that with the traditional NAT method of defining nat inside/outside NATing of source/destination determines if a router routes first then nat's or the reverse. I thought that with a NVI this concept becomes defunct?? To overcome my issue I've introduced a second loopback and configure PBR and applied the PBR policy to the local policy of my router i.e. NOT interface policy. So end IP SLA traffic sourced by loopback 1 get's a next hop of loopback 2, due to PBR, and then it is NATd correctly and sent down my VPN tunnel. Can someone explain to me why I need to introduce the extra hop?? _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
