I worked for an IT consulting company before. The headquater of the company locates in Denver. One of our clients is in Chicago.
The project for that client will be done 50% by the Denver office and the other 50% by the oversea development center. According to the client’s security policy, only American IP address can be allowed to access their online resources. That is to say the developers in our oversea development center are not able to reach the client.
I deployed the solution illustrated in the diagram. And it worked well actually.
Both our Oversea and Denver office were using the Cisco ASA 5510. What I did are:
1) On the oversea office’s firewall:
– add the traffics coming from oversea office’s LAN/going to the Chicago client into the VPN interesting traffic and the no nat access list.
2) On the Denver office’s firewall:
– add the traffics coming from Chicago client/ going to oversea office’s LAN into the VPN interesting traffic and the no nat access list.
– add a NAT command for oversea office’s LAN IP address on the Outsider interface, e.g. nat (outside) 1 {oversea LAN IP range}
Jackie Chen's IT Workshop 