NAT question with VPN

Unanswered Question
Jun 26th, 2007

Hello

This is my configuration:

VPN tunnel between FW1 and FW2

Local addresses : 10.7.1.0/24 on FW1 and 192.168.67.0/24 on FW2

Behind the inside interface of FW2, there's is a remote site (network C).

PC's from network 10.7.1.0 are able to reach PC's on network 192.168.67.0 (no problem)

When a PC from network 10.7.1.0 wants to reach a PC on network C, i need that on the inside interface from FW2 the source address of 10.7.1.0 be translated to a local address of this network (let's say 192.168.67.241), because the network of 10.7.1.0 is not routable to the remote site C

First question : is it ever possible to do this ?

Second question: if possible, what do i need to configure ?

Thanks for help

Jean

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jbrunstein Tue, 06/26/2007 - 04:49

Hi James

Yes the inside interface of FW2 is in subnet 192.168.67.0/24

My firewalls are PIX boxes. Do you have an url with the configuration of ip nat outside source for the PIX ? The one you gave me is for IOS routers

Thanks

Jean

jbrunstein Tue, 06/26/2007 - 23:38

Hi James

I'm now able to do outside nat for my configuration. The problem was not really with the commands to configure, but there was another problem (arp in the next router) that was blocking the traffic.

Here are the 3 commands i needed:

access-list outside_pnat_inbound extended permit ip 192.168.148.0 255.255.254.0 host 192.168.12.210

global (inside) 8 192.168.67.241

nat (outside) 8 access-list outside_pnat_inbound outside

With those 3 commands, all the source addresses for frames from network 192.168.148.0/23 on inside of FW1 are translated to 192.168.67.241 when send out from inside of FW2 and this matches the local network 192.168.67.0/24.

Those frames can than reach the remote site C and the router overthere has a route back to 192.168.67.0.

Thanks for supporting me !

Actions

This Discussion