Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Question regarding a use of static

Hi

Situation:

I have a VPN connection to another company where they get connection to the following hosts

192.168.14.2

192.168.14.3

Now, I have another company that needs access to these hosts also, but they have the same IP-range in use in their network. So I'm gonna use static and put my two hosts on my DMZ1 which has public IP's instead.

static (inside,dmz1) 111.111.111.111 192.168.14.2

static (inside,dmz1) 111.111.111.112 192.168.14.2

This will put both my hosts in global "mode" in the firewall..

Question is, will this break my old VPN tunnel to the other company? If they try to reach 192.168.14.2, will the firewall stop them or something? Or will it also work?

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: Question regarding a use of static

It can work without problems ;

Since your "nat (inside) 0" have precedence over the static statement, traffic for the first tunnel will be nonated , routed on your outside or dmz1 interface where it will trigger the crypto engine.

Traffic for the 2nd tunnel will get nated , then routed on your dmz1 interface where it will trigger the crypto engine.

One thing to check is that your crypto-acl for the second tunnel must use the translated addresses as the source. Remember that the natting occurs before the crypting.

Also, i don't have your complete config , but if the default gateway oy your PIX is on the outside interface , you will need 2 routes on your dmz1 interface. One for the VPN peer IP , and also one for the peer internal subnet.

2 REPLIES
Community Member

Re: Question regarding a use of static

It can work without problems ;

Since your "nat (inside) 0" have precedence over the static statement, traffic for the first tunnel will be nonated , routed on your outside or dmz1 interface where it will trigger the crypto engine.

Traffic for the 2nd tunnel will get nated , then routed on your dmz1 interface where it will trigger the crypto engine.

One thing to check is that your crypto-acl for the second tunnel must use the translated addresses as the source. Remember that the natting occurs before the crypting.

Also, i don't have your complete config , but if the default gateway oy your PIX is on the outside interface , you will need 2 routes on your dmz1 interface. One for the VPN peer IP , and also one for the peer internal subnet.

Community Member

Re: Question regarding a use of static

Hi

Thanks, that helped.

109
Views
0
Helpful
2
Replies
CreatePlease to create content