Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
287
Views
0
Helpful
2
Replies

Question regarding a use of static

Go to solution
azore2007
Level 1
Level 1

‎01-17-2008 12:08 AM - edited ‎03-11-2019 04:49 AM

Hi

Situation:

I have a VPN connection to another company where they get connection to the following hosts

192.168.14.2

192.168.14.3

Now, I have another company that needs access to these hosts also, but they have the same IP-range in use in their network. So I'm gonna use static and put my two hosts on my DMZ1 which has public IP's instead.

static (inside,dmz1) 111.111.111.111 192.168.14.2

static (inside,dmz1) 111.111.111.112 192.168.14.2

This will put both my hosts in global "mode" in the firewall..

Question is, will this break my old VPN tunnel to the other company? If they try to reach 192.168.14.2, will the firewall stop them or something? Or will it also work?

Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
michelcaissie
Level 1
Level 1

‎01-17-2008 01:42 PM

It can work without problems ;

Since your "nat (inside) 0" have precedence over the static statement, traffic for the first tunnel will be nonated , routed on your outside or dmz1 interface where it will trigger the crypto engine.

Traffic for the 2nd tunnel will get nated , then routed on your dmz1 interface where it will trigger the crypto engine.

One thing to check is that your crypto-acl for the second tunnel must use the translated addresses as the source. Remember that the natting occurs before the crypting.

Also, i don't have your complete config , but if the default gateway oy your PIX is on the outside interface , you will need 2 routes on your dmz1 interface. One for the VPN peer IP , and also one for the peer internal subnet.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
michelcaissie
Level 1
Level 1

‎01-17-2008 01:42 PM

It can work without problems ;

Since your "nat (inside) 0" have precedence over the static statement, traffic for the first tunnel will be nonated , routed on your outside or dmz1 interface where it will trigger the crypto engine.

Traffic for the 2nd tunnel will get nated , then routed on your dmz1 interface where it will trigger the crypto engine.

One thing to check is that your crypto-acl for the second tunnel must use the translated addresses as the source. Remember that the natting occurs before the crypting.

Also, i don't have your complete config , but if the default gateway oy your PIX is on the outside interface , you will need 2 routes on your dmz1 interface. One for the VPN peer IP , and also one for the peer internal subnet.

0 Helpful

Go to solution
azore2007
Level 1
Level 1
In response to michelcaissie

‎01-18-2008 02:40 AM

Hi

Thanks, that helped.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card