i have been trying to work out this problem since more then two weeks now, but all my efforts are going in vain.
we 've a vpn tunnel established with our partner and working perfectly, now we 've been asked for the following
1. this partner will connect to our network through this vpn tunnel
2. onces inside our network they will connect to our other partner using our network, who is directly connected to us,
although the second partner router which is inside our premises is only allowing few IP's from our internal network.
3. since due to security we connects to first partner using pre-defined Private Range IP Addresses ( i mean we do nat on
our pix from internal IP Addresses to this pre-defined ip addresses) e.g. our network 192.168.1.0 255.255.255.0
and pre-defined VPN Natted IP Address we use 10.10.60.0-25 netmask 255.255.255.0
4. This time "they" will try to establish a connection on IP Address 10.10.60.20 through our firewall to second partner
1st partner server ----- pix ---- internal router ----- 2nd partner router ----- 2nd partner server (different subnet) 172.16.10.2
5. At this point in our pix we 've to change IP Addresses like following to make sure that first partner connects to second
partner transparently meaning to second partner it will look like the traffic is coming from us instead of any other.
172.18.20.21(1st partner source IP) ------------- 192.168.1.200(our internal LAN IP, known to 2nd partner router to allow traffic
10.10.60.20 (1st partner destination IP) ---------- 172.16.10.2 (2nd partner server ip, actually destination for 1st partner)
for all above mentioned case i 've tried do the following on pix but apperantly like i said all went in vain.
1. global (outside) 50 10.10.60.20
nat (inside) 50 172.16.10.2
2. static (inside,outside) 10.10.60.20 192.168.1.200 netmask 255.255.255.255
access-list VPN-PartnerOne permit ip host 10.10.60.20 host 172.18.20.21
Now i am trying this
nat (outside) 1 10.10.60.20 255.255.255.0 outside
global (inside) 1 192.168.1.200
route inside 172.16.10.0 255.255.255.255 192.168.1.100 (our internal router)
this statement will tell our pix that 172.16.10.0 is trusted network and will now where to route packets
You need to take care of two routing issues:
Your pix needs to be able to route to 172.16.10.2. It looks like you have this correct in your post.
Your internal router needs to know that 192.168.1.200 (which is the Natted partner 1 ip address ) is to be routed back to the pix.
That should do it