Site to Site to an Extranet

Unanswered Question
Jan 31st, 2007

I have built a site to site VPN tunnel to an extranet that uses a seperate nat pool for VPN and Internet. The allows me access systems at the remote end. How, if at all, can I them access a particular host at my end. Can I have a unique host be accessible via a static nat and use dynamic nat when accessing the internet. Can I have global pool of one ip reserved for one user and have the outside reference the global IP to access the internal system (ACL permitting).

Thanks for any assistance.

Dan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 02/01/2007 - 02:34

Hi Dan

Can you be a bit more specific on what you want ie

1) The site to site VPN, is it to another business and do you use a different NAT setup than when you clients access the internet.

2) Do you want to allow access to a host on your network ?

Not really clear what it is you are trying to achieve.

Jon

dladen Thu, 02/01/2007 - 10:36

I am trying to model a business partner experience when interface with me. I am also trying to define the scalability of this solution.

I have set this up in a lab and had a couple failing points.

Primarily, I want the business partner to access some application on my network. This is working using two nat pools (vpn and internet)

I would like to able to access an application on the business partner network. IE, I want my application to send a LPR printout to one of their printer. Everything I read, says I need a static NAT rule for me to pass from low security to high security in the PIX. If I setup a static for the VPN traffic, it breaks the dynamic nat for internet traffic. Is there a way to allow me to use a static nat for the VPN traffic and a dynamic nat for Internet.

I need to use nat for the VPN traffic as there is a Private IP overlap.

I know this is wordy but I hope it help clarify my question.

Thanks,

Dan

Jon Marshall Mon, 02/05/2007 - 03:01

Hi Dan

Apologies for delay in getting back.

If i understand correctly

1) A business partner needs to access an application on your network. You will need to present the IP address(es) of your server(s) hosting the application to the business partner. If it is coming through a VPN tunnel it doesn't have to be a public IP address eg. Say your partner needs to access serverA in your site

ServerA internal address = 192.168.10.1

ServerA Natted address to partner = 172.16.15.1

pix translation would be:

static (inside,outside) 172.16.15.1 192.168.10.1 netmask 255.255.255.255

2) To access an application on the business partner network your business partner needs to do what you did in step 1 and let you know the address.

3) You can use static and dynamic NAT without breaking each other. It all depends on who you define your crypto map access-lists.

Could you send me a config that you have been using in your lab together with an explanation of the IP addressing etc..

Jon

Actions

This Discussion