Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
501
Views
0
Helpful
4
Replies

NAT question with VPN

jbrunstein
Level 1
Level 1

‎06-26-2007 02:04 AM

Hello

This is my configuration:

VPN tunnel between FW1 and FW2

Local addresses : 10.7.1.0/24 on FW1 and 192.168.67.0/24 on FW2

Behind the inside interface of FW2, there's is a remote site (network C).

PC's from network 10.7.1.0 are able to reach PC's on network 192.168.67.0 (no problem)

When a PC from network 10.7.1.0 wants to reach a PC on network C, i need that on the inside interface from FW2 the source address of 10.7.1.0 be translated to a local address of this network (let's say 192.168.67.241), because the network of 10.7.1.0 is not routable to the remote site C

First question : is it ever possible to do this ?

Second question: if possible, what do i need to configure ?

Thanks for help

Jean

Labels:
0 Helpful
4 Replies 4

James.Ren
Level 1
Level 1

‎06-26-2007 04:06 AM

Hi Jean,

A question: is the inside interface of FW2 in the same subnet of 192.168.67.0/24? If so, I bet outside NAT could help you to translate the outside local address to a routable address.

ip nat outside source

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml

0 Helpful

jbrunstein
Level 1
Level 1
In response to James.Ren

‎06-26-2007 04:49 AM

Hi James

Yes the inside interface of FW2 is in subnet 192.168.67.0/24

My firewalls are PIX boxes. Do you have an url with the configuration of ip nat outside source for the PIX ? The one you gave me is for IOS routers

Thanks

Jean

0 Helpful

James.Ren
Level 1
Level 1
In response to jbrunstein

‎06-26-2007 06:02 PM

Hi Jean,

Sure! Configuring outside NAT might be easier in security appliances. For outside NAT, you need to identify the nat command for outside NAT (the outside keyword).

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008083aa67.html

0 Helpful

jbrunstein
Level 1
Level 1
In response to James.Ren

‎06-26-2007 11:38 PM

Hi James

I'm now able to do outside nat for my configuration. The problem was not really with the commands to configure, but there was another problem (arp in the next router) that was blocking the traffic.

Here are the 3 commands i needed:

access-list outside_pnat_inbound extended permit ip 192.168.148.0 255.255.254.0 host 192.168.12.210

global (inside) 8 192.168.67.241

nat (outside) 8 access-list outside_pnat_inbound outside

With those 3 commands, all the source addresses for frames from network 192.168.148.0/23 on inside of FW1 are translated to 192.168.67.241 when send out from inside of FW2 and this matches the local network 192.168.67.0/24.

Those frames can than reach the remote site C and the router overthere has a route back to 192.168.67.0.

Thanks for supporting me !

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents