Nsa3650 3 LAN servers, same ports, 1 WAN IP interface
I have a situation where CBS Network needs to access 3 of their racks we house here. They say they can only connect to 2 at a time out of the 3; the 2 they can connect to randomizes, it's never the same two. I suspect it's due to a port issue. Each rack has an assigned VLAN IP; 10.1.130.13, 23, and 24. Same mask, same gateway. I've copied their instructions below. The only thing I've done is create NAT rules for each rack for outgoing traffic only. I created a service group for the ports below, ESP, GRE, Ike Traversal and Ike Key Exchange. A packet capture shows only ports 500 and 4500 used for each of the 3 racks.
My question is, how do I grant access to 3 individual racks with one WAN interface when the 3 connections utilize the same ports shown below?
The VPN connection requires “GRE over IPSEC” traffic between the assigned LAN1 IP address and two CBS Network IP addresses. This means your Local Network must allow bi-directional traffic on ESP (IP Protocol 50), NAT-T-IKE (UDP Port 500, UDP Port 4500), to both 220.127.116.11 and 18.104.22.168. Note: Make sure your LAN gateway is properly programmed into the ARC.
For a site with multiple racks at a ‘hub’, are there special IP considerations?
Yes. There are some special considerations for the IP Network Address Translator (NAT) at a hub location with multiple racks.
In the CBS Rack, the GRE/IPSec tunnels cannot share addresses. The NAT/Reverse-NAT arrangement between the Rack address and the Internet address must be one-to-one.
If your site has already dedicated a routable IP address to each current CBS rack, then the new racks, using GRE/IPSec tunneling, can use the same existing dedicated routable IP addresses.