Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Nat from Outside (VPN POOL) to DMZ

I have a situation where I need to nat from our VPN Pool to a specific address on a dmz interface and use PAT to the DMZ interface IP.

Here is what I came up with, but does not work:

ip local pool vpnpool 192.168.200.5-192.168.200.250 mask 255.255.255.0

access-list vpnnatdmz permit ip 192.168.200.0 255.255.255.0 host 192.168.90.1

access-list nonatdmz permit ip host 192.168.90.2 192.168.200.0 255.255.255.0

access-list nonatdmz permit ip host 192.168.90.3 192.168.200.0 255.255.255.0

nat (dmz) 0 access-list nonatdmz

nat (outside) 5 access-list vpnnatdmz outside

global (dmz) 5 interface

So that when a vpn client accesses 192.168.90.1 on the dmz interface, it should be translated to the IP of the dmz interface.

I get the following error when I try to access that ip through the vpn client:

No translation group found for tcp src outside:192.168.200.6/2953 dst dmz:192.168.90.1/80

Any suggestion on how to do this would be great. I have this scenario working from the inside interface to the DMZ, but cannot get it to work from the outside to the DMZ.

Thanks,

Michael

1 REPLY
Bronze

Re: Nat from Outside (VPN POOL) to DMZ

if i am not wrong the following statement is wrong--

nat (outside) 5 access-list vpnnatdmz outside

There should be no " outside" mentioned at the end of the nat statement.

It should only be

nat (outside) 5 access-list vpnnatdmz

--Pls rate if useful--

156
Views
0
Helpful
1
Replies