I'm trying to join two corporate networks via an ISDN link, with a 1004 on this side.
The users on this side needs to access a machine on the other side. I'd like both ip domains to stay separate, ie having an address on the segment of the 1004 mapped to the AS/400 machine on the other side, a bit like setting up public access to a web site.
The difference is, with a public web site the source will be a public address and easily routable back to the client. In my case I do not want the other side to be configured with all my address ranges (where there could be possible conflicts). Thus the 'double' NATing..
If one corporate network was 10.x.x.x and the other 172.x.x.x could it be possible that the client uses a 10.x.x.x address as a destination to the other side, and in turn the other side is also beleiving to be talking with a 172.x.x.x client ?
Not sure if this is clear, I've been turning the idea round and round inside my head all weekend..
I'm assuming that by 'double NAT'ing you mean that both networks have private IP ranges and are behind NAT/PAT firewalls with a single public IP address exposed on each end?
If this is the case then what you are proposing will function BUT without a VPN you will have to staticly port forward all requests from the public (outside) interface to the inside ip interface of your AS/400. Lets assume you are telneting into your AS/400 - your remote clients connecting to the AS/400 will telnet to the PUBLIC ip of the network where your AS/400 resides - e.g. 18.104.22.168 port 23. AS far as the AS/400 is concerned it will simply see the other networks PUBLIC ip. ie on your AS/400 you will see multiple inbound telnet sessions from the other networks single public ip (NAP/PAT will fix the connections up at each end and route the proper session to the correct end node ip.)
I've had only passing experience with AS/400's but if you are using the standard AS/400 implimentation of telnet then it will work (the 'double NAT' will make NO difference to your configuration) One word of caution... if you are using standard telnet (as opposed to SSH or 'secure' AS/400 client software) then ALL of your traffic will be in the clear over the public IP network. Consider the implications of this before you do proceed. A much better option is to establish a VPN bewteen the two networks and route the two private IP spaces together. This will allow each side to address the other using private ip ranges. If I've misunderstood your question and given a pointless answer then please ignore ;)
Well you did give me a couple of ideas, thanks :) But maybe a little ascii drawing.. watch out, I'm no artist..
I have clients sitting on the 10.x.x.x segment in company 1, who need to access a machine sitting on the 22.214.171.124 segment in company 2. We've added 2 routers between RouterB and RouterC, using an ISDN line.
How do I keep both IP domains separated while allowing the users to connect ?
For now Company 1 doesn't have a 172.17.2.0 segment, so I'm routing traffic over the isdn link and NATing on that side so clients appears as Company2's 126.96.36.199 clients to the server.
I know that we have more than enough private classes to just forget about 172.17.2.0 in Company1, but it's just a challenge to see if I can make it work with NAT/PAT without any company having to 'reserve' segments...
I've tried adding a static translation entry, but it didnt seem to work.. I'm not sure if it wasn't getting to destination at all, or if it's just because then it didnt go thru the address pool on the Company2 side...
This is posibble as I have recently done the same deal with our Security command blocks. Our internal corporate network connects to a routable 10.x address while the devices inside the dmz's talk back to the security block and all internal 10.x addresses via 192.168.x addresses (and to increase security from the dmz to the corporate security block we do not route on any of the dmz interfaces).
The syntax would look like this:
I need my 10.1.1.1 to talk to my 192.168.1.1 via telnet and vice versa. 10.x is inside and 192.x is DMZ1...
!//define global so there is a nat'd
!//address to get DMZ3 and back again
!//assuming that you will only ever have
!//no more than 10 hosts connect at once
global(DMZ1) 1 192.168.1.100-192.168.1.109
!//you want to NAT all traffic leaving "inside"
!//with global_ID "1"
nat (inside) 1 0 0
!//alias a new address range for the 10.x to 19.x
!//mapping or double-NATing as you cannot use the
!//same address range that is already on your
alias (inside) 10.2.1.1 192.168.1.1 255.255.255.255
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...