Basic NAT configuration help

Unanswered Question
Apr 24th, 2007

Hi I have the following setup:

(Checkpoint) --- (Cisco 827) --- (Internet)

(192.168.2.1)--- (2.2)-(10.1.1.1)-(10.1.1.2)

There is only one public internet address on the 827.

my questions are:

1. Is there any way to make the 827 completely transparent so all traffic goes to the Firewall?

2. If 1. is possible would VPN Clients beable to talk to the checkpoint firewall?

Here is what i've got so far in my lab but I think I'm missing something more on the NAT side.

LABWAN#sh run

Building configuration...

Current configuration : 1228 bytes

!

version 12.3

service config

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname LABWAN

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

memory-size iomem 10

no network-clock-participate slot 1

no network-clock-participate wic 0

ip subnet-zero

ip cef

!

!

no ip dhcp use vrf connected

!

!

no ip ips deny-action ips-interface

!

!

!

no ftp-server write-enable

!

!

no crypto isakmp ccm

!

!

interface FastEthernet0/0

ip address 192.168.2.2 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.1.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

ip default-gateway 10.1.1.2

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.1.2

!

!

ip http server

no ip http secure-server

ip nat inside source static 192.168.2.1 interface FastEthernet0/1

!

control-plane

!

line con 0

line aux 0

line vty 0 4

!

!

end

Thanks

Gus

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
haroon.shaikh Wed, 04/25/2007 - 17:46

Greetings Gus,

Yes, that should pass all the traffic (including vpn traffic) coming from the Internet to the Checkpoint firewall.

ip nat inside source static 192.168.2.1 interface FastEthernet0/1

You can also put the aboce statement as:

ip nat inside source static 192.168.2.1 x.x.x.x

(where x.x.x.x is your internet ip address)

The only catch would be that, you wont be able to access your router using telnet or ssh from the Internet side.

And if you want to do that, you can do it as:

For NAT:

ip nat inside source static tcp 192.168.2.2 23 x.x.x.x 23

For ssh use the port 22 in the above statement.

Hope that helps,

Good Luck

* Please rate if helpful

haroon.shaikh Wed, 04/25/2007 - 18:26

Sorry Gus,

I think the above is partially correct.

ip nat inside source static 192.168.2.1 interface FastEthernet0/1

Reads: On the interface labelled "inside" when a packet from 192.168.2.1, translate it to x.x.x.x where x.x.x.x is your internet ip.

If you want your vpn clients to connect to your firewall you will have to forward either specific ports or forward all the traffic:

ip nat outside source static x.x.x.x 10.32.15.88 extendible

* Please rate if it helps

Actions

This Discussion