I am very new in networking field. I want some help from you expert peoples.
I am having a network in which i am having router, firewall & switch.
the ISP leased line is connected to router (in FA0/0), FA 0/1 is connected to firewall outside (E 0/0), Firewall input connected to switch to LAN.
i want to configure Site - to - site VPN on firewall.
now i assigned ips such as:
For example :
Router (FA 0/0 connected to ISP) : 184.108.40.206 /29
Router (FA 0/1 conneted to firewall) : 220.127.116.11 (private IP)
Firewall (E 0/0 conncted to Router) : 18.104.22.168 (private IP)
Firewall (E 0/1 connected to switch) : 10.0.0.1 (private IP)
is this configuration is right ? if so then which IP i should give to my peer end to establish site-to-site VPN ?
Is it possibal to use ip's as :
For example :
Router (FA 0/0 connected to ISP) : 22.214.171.124 /29 (Public IP)
Router (FA 0/1 conneted to firewall) : 126.96.36.199 (Public IP)
Firewall (E 0/0 conncted to Router) : 188.8.131.52 (Public IP)
Firewall (E 0/1 connected to switch) : 10.0.0.1
Then i will give the Public IP 184.108.40.206 to peer site to establish site-to-site VPN...
You can go for your initial configuration i.e. Router's outside having a
public IP and the interface connecting to the firewall having a private IP.
You can use NAT on the router to map the private IP of the firewall to a
public IP and then give that public IP to the VPN peers.
interface fastethernet 0/0
ip address 220.127.116.11 255.255.255.248
ip nat outside
interface fastethernet 0/1
ip address 18.104.22.168 255.255.255.0
ip nat inside
ip nat source static 22.214.171.124 126.96.36.199 extendable
If you want to block certain traffic on the outside interface of the router,
you can use an access-list over there. If not, you can let the firewall
handle all the filtering.
Also, on another thought, if you have such a straight topology, you can
bypass the Router and connect the ISP handoff (Ethernet) directly to the
firewall. That will avoid the need for additional NAT configurations.
Hope this helps.
I tried It. It works.
But when i give command "sh ip nat translations" it still showing the firewalls outside IP (i.e 188.8.131.52)
It has to show 184.108.40.206 ???
is there anything i need to change in firewall coz in firewall i given
globle(outside) 1 interface (i.e outside interface 220.127.116.11)
You should see both firewall outside ip and the translated address. Can you
post the output of "show ip nat translation" command here?
In "sh ip nat translation" i am still getting same ip as of firewalls outside ip..
#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 114.143.201.*:1134 18.104.22.168:1134 22.214.171.124:2520 126.96.36.199:2520
udp 114.143.201.*:1134 188.8.131.52:1134 184.108.40.206:44782 220.127.116.11:44782
udp 114.143.201.*:1134 18.104.22.168:1134 22.214.171.124:17279 126.96.36.199:17279
udp 114.143.201.*:1134 188.8.131.52:1134 184.108.40.206:12580 220.127.116.11:12580
If you notice, the inside global corresponds to the global address you are
mapping to and inside local corresponds to the actual ip of the firewall.
Inside global Inside local
So, NAT translation is working.
18.104.22.168 is a actual IP of my firewall. if we done static nat (ip nat source static 22.214.171.124 126.96.36.199 extendable) then in nat translation it has to show
188.8.131.52 na instade of firewalls actual IP (184.108.40.206).
This ip is being advertise to global na ???
As per your output, 220.127.116.11 is being advertised as 114.143.201.*. The
"inside global" means the global address (public address) corresponding to
the inside local address.
If 114.143.201.* is not the correct address the firewall should use, can you
post the output of "show run | include ip nat" here?
Ok i got it. Means the Inside Global address (i.e. my ISP PUBLIC IP 18.104.22.168) is being advertised to extrernal world not my firewalls IP (i.e my Private IP 22.214.171.124) ???
Now can i use 126.96.36.199 for site-to-site VPN ??
188.8.131.52 is now peer ip for remote site na ??
Can you tell me the command for remote telnet to firewall by using PUTTY software ???
My firewalls Ip is (184.108.40.206) which we natted on router to 220.127.116.11 ??
Thanks a lot. It Works..
Now i am able to ping 18.104.22.168 also from my Router & also from outside..
Thanks a lot.. God Bless you.