site-to-site, static nat

isk-admin · ‎02-21-2007

We use a site-to-site vpn from A (DMZ, 10.10.10.0/24) to B (172.20.20.0/24) and it works fine. Now a SAP-Server (B) have to send the printjobs to Printserver (10.20.20.1) behind network A. So I have configured:

static (inside,dmz) 10.10.10.1 10.20.20.1 netmask 255.255.255.255

conduit permit tcp host 10.10.10.1 eq 515 172.20.20.1 (SAP-Server)

If I do a telnet for 10.10.10.1 with tcp/515 I get a time out an cant see any packets in debug mode. If I do ping I can see the packets. No ports are closed for the tunnel.

Now I cancel the static and conduit command and configure for test a printer directly with 10.10.10.1 and it works properly.

What?s going wrong with the static?

ggilbert · ‎02-21-2007

Hello,

For the 172.20.20.x to access a network 10.20.20.x which is behind the network 10.10.10.x all you need is to make sure there is an encryption ACL for the traffic to be encrypted and pass through the tunnel.

In your encryption ACL for the tunnel from A to B, you would add an ACL entry :

access-list permit ip 10.20.20.0 255.255.255.0 172.20.20.0 255.255.255.0

Make sure the B side is configured as a mirror image of the ACL above.

Hope this helps, if not post your config and I Will take a look at it.

Thanks

Gilbert

Rate it, if this helps!

isk-admin · ‎02-22-2007

Dear Gilbert,

first, thanks a lot for your help.

Indead I havent an encryption ACL for the traffic to network 10.20.20.x

In network 172.20.20.x I cant route 10.20.20.x through the tunnel because there is another network with 10.20.20.x behind 172.20.20.x

I dont understand why I have to configure an encrytion ACL for network 10.20.20.x because I want to hide this network (or one ip-address) behind an adrress from network 10.10.10.x. Therfor I configured the static and conduit command. Is this false?

Regards

Helmut

ggilbert · ‎02-23-2007

Helmut -

What is the device between the 10.20.20.x network and 10.10.10.x network?

From your 10.10.10.x network can you access 10.10.10.1 address that is getting translated from 10.20.20.x?

Rate this answer if it helps.

Thanks

Gilbert

isk-admin · ‎02-26-2007

Dear Gilbert,

the device alt location A is a PIX configured with vlan:

outside = internet

dmz = 10.10.10.x

inside = 10.20.20.x

Yes, if I do a telnet from 10.10.10.x to NAT-address 10.10.10.1 (10.20.20.1) I get a respond. When I do this from network B I dont get a respond.

Regards

Helmut

ggilbert · ‎02-26-2007

Helmut -

So the device on your Network A is a PIX with VLAN interfaces?

Can you send me the output of the following from the PIX, please.

a . sh ip (Make sure the outside address is marked as x.x.x.x when you paste in the post).

b. sh cry map

c. sh run | in nat

Helmut, if you have only one device on the network A which is a PIX and you have segmented the interfaces via VLAN, then my guess is you havent dont the part of adding the 10.20.20.x network for your encryption ACL.

If you do a static NAT on the PIX for your DMZ to inside, it is just going to translate for the networks on the inside to access the DMZ not from the network B.

Let me see the outputs and give you the suggestion to do it the right way.

Thanks

Gilbert

isk-admin · ‎02-27-2007

Hi Gilbert,

here are the output for the three commands and a part of my config. Because the shown ip-addresses are not the real I translate them for the sample.

Again: what I dont understand is why I have to configure an encryption ACL for 10.20.20.x?

From network B, 172.20.20.x I want to print over NAT-address 10.10.10.1 in network A (dmz) to 10.20.20.1 network A (inside).

So for the encryption ACL is only interested 10.10.10.x .

Or is it false?

Thanks

Helmut