08-19-2007 08:48 AM - edited 02-21-2020 03:13 PM
I'm trying to get setup a VPN to allow a business-parter access to our network. The problem is that the partner use the same private address space as we do.
I'm trying to figure out how to translate NAT their internal address to a different address as the packets come out of the VPN tunnel.
There is a Visio Doc attached that shows "US" and THEM. The "THEM" side does not use real IPs, I made this drawing because I'm getting an example set up in a Lab environment, so I picked random numbers for the "THEM" Ips.
The PC(s) from the partner need access to two PCs on my side. I got it working to the point that the VPN tunnel comes up between the two PIX501s, and translated the destination IP into a private IP, but need help translating the remote source IPs into private IPs.
Here's some output from the PIX on the "US" (My side).
Inbound ICMP echo request (len 32 id 2 seq 44033) 10.150.100.100 > 216.x.x.x > 10.220.2.10
The source of the packet is sent to the 216.x.x.x address then translated to its real internal address of 10.220.2.10. I need to translate the 10.150.100.100 address to somthing else, so it doesnt mess up my network. Ideas? I'm a PIX n00b. Thanks in advance.
Solved! Go to Solution.
08-19-2007 10:53 AM
Hi
Sorry i dont have Visio on my home PC but if you want to translate the source IP address of the incoming packets eg. translate 10.150.100.100 to 192.168.5.10
static (outside,inside) 192.168.5.10 10.150.100.100 netmask 255.255.255.255
If you need to do a pool of source addresses you could do
nat (outside) 3 10.150.100.0 255.255.255.0 outside
global (inside) 3 192.168.5.10
HTH
Jon
08-19-2007 10:53 AM
Hi
Sorry i dont have Visio on my home PC but if you want to translate the source IP address of the incoming packets eg. translate 10.150.100.100 to 192.168.5.10
static (outside,inside) 192.168.5.10 10.150.100.100 netmask 255.255.255.255
If you need to do a pool of source addresses you could do
nat (outside) 3 10.150.100.0 255.255.255.0 outside
global (inside) 3 192.168.5.10
HTH
Jon
08-24-2007 12:46 AM
In my configuration, I tried
static (outside,inside) 192.168.16.90 10.18 netmask 255.255.255.255
which landed me with the following xlate:
Global 192.168.16.90 Local 10.0.0.18
At this point, my colleague at 10.18 lost all connectivity. No more internet... :)
How do you make the translation less intrusive?
08-24-2007 05:28 AM
I'm not too sure how NAT statements are handled, but would it work to do the following:
global (inside) 3 192.168.4.10-192.168.4.15 netmask 255.255.255.0
nat(outside) 3 10.150.0.0 255.255.255.0 outside //Translates 10.150.0.0 comming through VPN tunnel to the range 192.168.4.10-15
nat(outside) 0 0.0.0.0 0.0.0.0 0 0 //Skips the translate on anything else.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide