06-26-2007 02:04 AM
Hello
This is my configuration:
VPN tunnel between FW1 and FW2
Local addresses : 10.7.1.0/24 on FW1 and 192.168.67.0/24 on FW2
Behind the inside interface of FW2, there's is a remote site (network C).
PC's from network 10.7.1.0 are able to reach PC's on network 192.168.67.0 (no problem)
When a PC from network 10.7.1.0 wants to reach a PC on network C, i need that on the inside interface from FW2 the source address of 10.7.1.0 be translated to a local address of this network (let's say 192.168.67.241), because the network of 10.7.1.0 is not routable to the remote site C
First question : is it ever possible to do this ?
Second question: if possible, what do i need to configure ?
Thanks for help
Jean
06-26-2007 04:06 AM
Hi Jean,
A question: is the inside interface of FW2 in the same subnet of 192.168.67.0/24? If so, I bet outside NAT could help you to translate the outside local address to a routable address.
ip nat outside source
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml
06-26-2007 04:49 AM
Hi James
Yes the inside interface of FW2 is in subnet 192.168.67.0/24
My firewalls are PIX boxes. Do you have an url with the configuration of ip nat outside source for the PIX ? The one you gave me is for IOS routers
Thanks
Jean
06-26-2007 06:02 PM
Hi Jean,
Sure! Configuring outside NAT might be easier in security appliances. For outside NAT, you need to identify the nat command for outside NAT (the outside keyword).
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008083aa67.html
06-26-2007 11:38 PM
Hi James
I'm now able to do outside nat for my configuration. The problem was not really with the commands to configure, but there was another problem (arp in the next router) that was blocking the traffic.
Here are the 3 commands i needed:
access-list outside_pnat_inbound extended permit ip 192.168.148.0 255.255.254.0 host 192.168.12.210
global (inside) 8 192.168.67.241
nat (outside) 8 access-list outside_pnat_inbound outside
With those 3 commands, all the source addresses for frames from network 192.168.148.0/23 on inside of FW1 are translated to 192.168.67.241 when send out from inside of FW2 and this matches the local network 192.168.67.0/24.
Those frames can than reach the remote site C and the router overthere has a route back to 192.168.67.0.
Thanks for supporting me !
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: