Re: VPN with DMZ IP address NETed to LAN IP address!!!

examples20001 · ‎02-06-2006

Hi,

My H.O and B.O have VPN connection between H.O 172.29.150.0/24 and B.O 172.29.8.0/24.

My B.O has got DMZ segment 192.168.0.1/24. DMZ web&mail server is access-able from Internet and server IP address 192.168.0.10 is NATed with a global IP address.

The server 192.168.0.10 in B.O DMZ need`s to be accessed from H.O and Vice-versa. But we dont another Tunnel between B.O DMZ and H.O.

So is it possible to setup up another NAT for DMZ server address 192.168.0.10 with B.O LAN IP address (ex: 172.29.8.180) like:

ip nat inside source static 192.168.0.10 172.29.8.180 <<====for H.O access thru VPN

ip nat inside source static 192.168.0.10 A.B.C.222 <<<for access from Interent

My B.O router is ISR 1841 with 12.3(8r)T8 ADVSECURITYK9-M image.

attrgautam · ‎02-06-2006

Suggest doing a Policy-NAT on the firewall, deny traffic to the HO from the Segment on the BO and permit this traffic through the IPSec.You wouldnt need to NAT twice which i doubt u can anyways as u need different sockets to do the same.

Just to add, you can also use Static NAT with route-maps, the route-map denying traffic from the Server to the HO and permitting the rest.

ip access-list extended test

deny ip host 192.168.0.10 172.29.150.0 0.0.0.255

permit ip host 192.168.0.10 any

ip nat inside source static 192.168.0.10 2.2.2.2 route-map test

route-map test permit 10

match ip address test

Permit the traffic to HO in the Crypto ACL so traffic will flow thro the same tunnel. Let me know if this works

examples20001 · ‎02-06-2006

Hi,

Thankyou very much for replying.

I have attached the current BO router config.

Problem is that HO policy dosent allow to setup VPN other that BO LAN segment (172.29.8.0/24).

So I must try to configure the DMZ server address 192.168.0.10 to some BO LAN ip address and allow the VPN traffic from DMZ server to HO.

So is it possible to setup the NAT like below:

ip nat inside source static 192.168.0.10 172.29.8.180 <<====for H.O access thru VPN

ip nat inside source static 192.168.0.10 A.B.C.24 <<<=======for access from Interent

If not then, is there any other way?

attrgautam · ‎02-06-2006

ip nat inside source static 192.168.0.10 A.B.C.24 route-map test

ip nat inside source static 192.168.0.10 172.29.8.180 route-map test1

Try static route with route-maps

Router#sh route-map test

route-map test, permit, sequence 10

Match clauses:

ip address (access-lists): test

Set clauses:

Policy routing matches: 0 packets, 0 bytes

Router#sh acces

Router#sh access-l

Router#sh access-lists test

Extended IP access list test

10 deny ip host 192.168.0.10 172.29.150.0 0.0.0.255

20 permit ip host 192.168.0.10 any

Similarly create route-map test1 and see if it helps. There may be better solutions elsewhere.

examples20001 · ‎02-07-2006

My modified config looks like below, will it work?

!

ip nat pool pool-1 A.B.C.20 A.B.C.2 netmask 255.255.255.0

ip nat inside source route-map SDM_RMAP_1 pool pool-1 overload <<=======NAT for LAN side pc`s to access Internet=>

ip nat inside source static 192.168.0.10 A.B.C.24 <<========NAT for Internet side pc`s to access DNZ server=>

ip nat inside source static 192.168.0.10 172.29.8.180 route-map SDM_RMAP_1 extendable <<======NAT for VPN/LAN side pc`s to access DNZ server=>

!

route-map SDM_RMAP_1 permit 1

match ip address 104

!

#show access-list 104 <<<================Access List for NAT(Internet) and NO-NAT(VPN).

Extended IP access list 104

10 deny ip 172.29.8.0 0.0.0.255 172.29.150.0 0.0.0.255

20 deny ip 192.168.0.0 0.0.0.255 172.29.150.0 0.0.0.255

30 permit ip 192.168.0.0 0.0.0.255 any

40 permit ip 172.29.8.0 0.0.0.255 any

#

attrgautam · ‎02-07-2006

ip nat inside source static 192.168.0.10 A.B.C.24 route-map SDM_RMAP_1 extendable <<========NAT for Internet side pc`s to access DNZ server=>

ip nat inside source static 192.168.0.10 172.29.8.180 <<======NAT for VPN/LAN side pc`s to access DNZ server=>

This should be ur config. Check if this works.

examples20001 · ‎02-07-2006

Why the route-map SDM_RMAP_1 applied for 192.168.0.10 A.B.C.24? This NAT statement is not VPN traffic, its only for Internet access. So why the route-map need to define in this NAT statement?

Sorry I got confused with route-map and 3 NAT statement`s.

ip nat pool pool-1 A.B.C.20 A.B.C.2 netmask 255.255.255.0

ip nat inside source route-map SDM_RMAP_1 pool pool-1 overload

ip nat inside source static 192.168.0.10 A.B.C.24 route-map SDM_RMAP_1 extendable no-alias

ip nat inside source static 192.168.0.10 172.29.8.180

Thank you very much for the help.

attrgautam · ‎02-07-2006

stmt 1 will nat all traffic to Internet except to stmts denied in the ACL

stmt 2 will nat the IP to public IP to all traffic to the internet

stmt 3 will nat the IP to the PVT IP which will pass through the IPSec. Suggest you apply a route-map here also and explicitly permit only IPSec traffic.

examples20001 · ‎02-07-2006

My modified config looks like below, is it correct?

!

ip nat pool pool-1 A.B.C.20 A.B.C.2 netmask 255.255.255.0

ip nat inside source route-map SDM_RMAP_1 pool pool-1 overload

ip nat inside source static 192.168.0.10 A.B.C.24 route-map SDM_RMAP_1 extendable no-alias

ip nat inside source static 192.168.0.10 172.29.8.180 route-map vpn-dmz-lan extendable no-alias

!

route-map SDM_RMAP_1 permit 1

match ip address 104

!

route-map vpn-dmz-lan permit 1

match ip address 115

!

#show access-list 104

Extended IP access list 104

10 deny ip 172.29.8.0 0.0.0.255 172.29.150.0 0.0.0.255

20 deny ip 192.168.0.0 0.0.0.255 172.29.150.0 0.0.0.255 <<<===Is this statement required?

30 permit ip 192.168.0.0 0.0.0.255 any

40 permit ip 172.29.8.0 0.0.0.255 any

#

#show access-list 115

Extended IP access list 115

10 permit ip 172.29.8.0 0.0.0.255 172.29.150.0 0.0.0.255

#

examples20001 · ‎02-28-2006

Hi

Thank you very much for the support.