site-to-site, static nat

Unanswered Question
Feb 21st, 2007

We use a site-to-site vpn from A (DMZ, to B ( and it works fine. Now a SAP-Server (B) have to send the printjobs to Printserver ( behind network A. So I have configured:

static (inside,dmz) netmask

conduit permit tcp host eq 515 (SAP-Server)

If I do a telnet for with tcp/515 I get a time out an cant see any packets in debug mode. If I do ping I can see the packets. No ports are closed for the tunnel.

Now I cancel the static and conduit command and configure for test a printer directly with and it works properly.

What?s going wrong with the static?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ggilbert Wed, 02/21/2007 - 11:27


For the 172.20.20.x to access a network 10.20.20.x which is behind the network 10.10.10.x all you need is to make sure there is an encryption ACL for the traffic to be encrypted and pass through the tunnel.

In your encryption ACL for the tunnel from A to B, you would add an ACL entry :

access-list permit ip

Make sure the B side is configured as a mirror image of the ACL above.

Hope this helps, if not post your config and I Will take a look at it.



Rate it, if this helps!

isk-admin Thu, 02/22/2007 - 04:29

Dear Gilbert,

first, thanks a lot for your help.

Indead I havent an encryption ACL for the traffic to network 10.20.20.x

In network 172.20.20.x I cant route 10.20.20.x through the tunnel because there is another network with 10.20.20.x behind 172.20.20.x

I dont understand why I have to configure an encrytion ACL for network 10.20.20.x because I want to hide this network (or one ip-address) behind an adrress from network 10.10.10.x. Therfor I configured the static and conduit command. Is this false?



ggilbert Fri, 02/23/2007 - 07:21

Helmut -

What is the device between the 10.20.20.x network and 10.10.10.x network?

From your 10.10.10.x network can you access address that is getting translated from 10.20.20.x?

Rate this answer if it helps.



isk-admin Mon, 02/26/2007 - 00:31

Dear Gilbert,

the device alt location A is a PIX configured with vlan:

outside = internet

dmz = 10.10.10.x

inside = 10.20.20.x

Yes, if I do a telnet from 10.10.10.x to NAT-address ( I get a respond. When I do this from network B I dont get a respond.



ggilbert Mon, 02/26/2007 - 07:48

Helmut -

So the device on your Network A is a PIX with VLAN interfaces?

Can you send me the output of the following from the PIX, please.

a . sh ip (Make sure the outside address is marked as x.x.x.x when you paste in the post).

b. sh cry map

c. sh run | in nat

Helmut, if you have only one device on the network A which is a PIX and you have segmented the interfaces via VLAN, then my guess is you havent dont the part of adding the 10.20.20.x network for your encryption ACL.

If you do a static NAT on the PIX for your DMZ to inside, it is just going to translate for the networks on the inside to access the DMZ not from the network B.

Let me see the outputs and give you the suggestion to do it the right way.



isk-admin Tue, 02/27/2007 - 01:50

Hi Gilbert,

here are the output for the three commands and a part of my config. Because the shown ip-addresses are not the real I translate them for the sample.

Again: what I dont understand is why I have to configure an encryption ACL for 10.20.20.x?

From network B, 172.20.20.x I want to print over NAT-address in network A (dmz) to network A (inside).

So for the encryption ACL is only interested 10.10.10.x .

Or is it false?





This Discussion