04-24-2007 03:41 PM - edited 03-09-2019 05:51 PM
Hi I have the following setup:
(Checkpoint) --- (Cisco 827) --- (Internet)
(192.168.2.1)--- (2.2)-(10.1.1.1)-(10.1.1.2)
There is only one public internet address on the 827.
my questions are:
1. Is there any way to make the 827 completely transparent so all traffic goes to the Firewall?
2. If 1. is possible would VPN Clients beable to talk to the checkpoint firewall?
Here is what i've got so far in my lab but I think I'm missing something more on the NAT side.
LABWAN#sh run
Building configuration...
Current configuration : 1228 bytes
!
version 12.3
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname LABWAN
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 10
no network-clock-participate slot 1
no network-clock-participate wic 0
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
!
!
no ftp-server write-enable
!
!
no crypto isakmp ccm
!
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip default-gateway 10.1.1.2
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.2
!
!
ip http server
no ip http secure-server
ip nat inside source static 192.168.2.1 interface FastEthernet0/1
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
!
end
Thanks
Gus
04-25-2007 05:46 PM
Greetings Gus,
Yes, that should pass all the traffic (including vpn traffic) coming from the Internet to the Checkpoint firewall.
ip nat inside source static 192.168.2.1 interface FastEthernet0/1
You can also put the aboce statement as:
ip nat inside source static 192.168.2.1 x.x.x.x
(where x.x.x.x is your internet ip address)
The only catch would be that, you wont be able to access your router using telnet or ssh from the Internet side.
And if you want to do that, you can do it as:
For NAT:
ip nat inside source static tcp 192.168.2.2 23 x.x.x.x 23
For ssh use the port 22 in the above statement.
Hope that helps,
Good Luck
* Please rate if helpful
04-25-2007 06:26 PM
Sorry Gus,
I think the above is partially correct.
ip nat inside source static 192.168.2.1 interface FastEthernet0/1
Reads: On the interface labelled "inside" when a packet from 192.168.2.1, translate it to x.x.x.x where x.x.x.x is your internet ip.
If you want your vpn clients to connect to your firewall you will have to forward either specific ports or forward all the traffic:
ip nat outside source static x.x.x.x 10.32.15.88 extendible
* Please rate if it helps
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: