09-08-2010 08:23 PM - edited 03-11-2019 11:37 AM
Hello everyone,
I am very new in networking field. I want some help from you expert peoples.
I am having a network in which i am having router, firewall & switch.
the ISP leased line is connected to router (in FA0/0), FA 0/1 is connected to firewall outside (E 0/0), Firewall input connected to switch to LAN.
i want to configure Site - to - site VPN on firewall.
now i assigned ips such as:
For example :
Router (FA 0/0 connected to ISP) : 1.1.1.1 /29
Router (FA 0/1 conneted to firewall) : 175.172.10.1 (private IP)
Firewall (E 0/0 conncted to Router) : 175.172.10.2 (private IP)
Firewall (E 0/1 connected to switch) : 10.0.0.1 (private IP)
is this configuration is right ? if so then which IP i should give to my peer end to establish site-to-site VPN ?
Is it possibal to use ip's as :
For example :
Router (FA 0/0 connected to ISP) : 1.1.1.1 /29 (Public IP)
Router (FA 0/1 conneted to firewall) : 1.1.1.2 (Public IP)
Firewall (E 0/0 conncted to Router) : 1.1.1.3 (Public IP)
Firewall (E 0/1 connected to switch) : 10.0.0.1
Then i will give the Public IP 1.1.1.3 to peer site to establish site-to-site VPN...
09-08-2010 08:30 PM
Hello,
You can go for your initial configuration i.e. Router's outside having a
public IP and the interface connecting to the firewall having a private IP.
You can use NAT on the router to map the private IP of the firewall to a
public IP and then give that public IP to the VPN peers.
Sample configuration:
interface fastethernet 0/0
ip address 1.1.1.1 255.255.255.248
ip nat outside
exit
interface fastethernet 0/1
ip address 175.172.10.1 255.255.255.0
ip nat inside
exit
ip nat source static 175.172.10.2 1.1.1.2 extendable
If you want to block certain traffic on the outside interface of the router,
you can use an access-list over there. If not, you can let the firewall
handle all the filtering.
Also, on another thought, if you have such a straight topology, you can
bypass the Router and connect the ISP handoff (Ethernet) directly to the
firewall. That will avoid the need for additional NAT configurations.
Hope this helps.
Regards,
NT
09-08-2010 08:45 PM
Dear Nagaraja,
I tried It. It works.
But when i give command "sh ip nat translations" it still showing the firewalls outside IP (i.e 175.172.10.2)
It has to show 1.1.1.2 ???
is there anything i need to change in firewall coz in firewall i given
globle(outside) 1 interface (i.e outside interface 175.172.10.2)
09-08-2010 08:51 PM
Hello,
You should see both firewall outside ip and the translated address. Can you
post the output of "show ip nat translation" command here?
Regards,
NT
09-08-2010 08:56 PM
Hello,
In "sh ip nat translation" i am still getting same ip as of firewalls outside ip..
#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 114.143.201.*:1134 175.172.10.2:1134 24.212.98.214:2520 24.212.98.214:2520
udp 114.143.201.*:1134 175.172.10.2:1134 46.118.193.138:44782 46.118.193.138:44782
udp 114.143.201.*:1134 175.172.10.2:1134 67.81.201.181:17279 67.81.201.181:17279
udp 114.143.201.*:1134 175.172.10.2:1134 67.169.62.194:12580 67.169.62.194:12580
09-08-2010 09:02 PM
Hello,
If you notice, the inside global corresponds to the global address you are
mapping to and inside local corresponds to the actual ip of the firewall.
Inside global Inside local
114.143.201.*:1134 175.172.10.2:1134
So, NAT translation is working.
Regards,
NT
09-08-2010 09:10 PM
Hello,
175.172.10.2 is a actual IP of my firewall. if we done static nat (ip nat source static 175.172.10.2 1.1.1.2 extendable) then in nat translation it has to show
1.1.1.2 na instade of firewalls actual IP (175.172.10.2).
This ip is being advertise to global na ???
09-08-2010 09:15 PM
Hello,
As per your output, 175.172.10.2 is being advertised as 114.143.201.*. The
"inside global" means the global address (public address) corresponding to
the inside local address.
If 114.143.201.* is not the correct address the firewall should use, can you
post the output of "show run | include ip nat" here?
Regards,
NT
09-08-2010 09:32 PM
Hello,
Ok i got it. Means the Inside Global address (i.e. my ISP PUBLIC IP 1.1.1.2) is being advertised to extrernal world not my firewalls IP (i.e my Private IP 175.172.10.2) ???
Now can i use 1.1.1.2 for site-to-site VPN ??
1.1.1.2 is now peer ip for remote site na ??
09-08-2010 09:51 PM
Hello NAGARAJA,
Can you tell me the command for remote telnet to firewall by using PUTTY software ???
My firewalls Ip is (175.172.10.2) which we natted on router to 1.1.1.2 ??
09-08-2010 10:05 PM
Hello NAGARAJA,
Thanks a lot. It Works..
Now i am able to ping 1.1.1.2 also from my Router & also from outside..
Thanks a lot.. God Bless you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide