Usually we configure on the PIX the remote VPN clients without NAT (no nat) when they talk to machines on the inside interface or dmz. So when the host on the dmz answers to the VPN client, it's to his real address.
Now I like to have the VPN client source adress being translated to an adress belonging to the dmz network. Is this ever possible ?
PIX outside interface : W.X.Y.Z
PIX dmz interface : 10.254.0.1/16
VPN Client : 192.168.112.1/24 (address is given by a pool from the PIX)
On the dmz there is a host (10.254.31.253/16)
When 192.168.112.1 is talking to 10.254.31.253, I would like to have that:
source address 192.168.112.1 translated to 10.254.7.7 (as for example)
The host 10.254.31.253 sends back a packet to destination address 10.254.7.7 and the PIX will translate it back to 192.168.112.1
If this is possible, i would like to have an example of the config.
I've configured a lot of different scenarios, but when doing a ping from the VPN client, I always see on the PIX logs "No translation group found for icmp src outside:192.168.112.1 dst dmz2:10.254.31.253 (type 8, code 0)"
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...