Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client with NAT to a dmz

Usually we configure on the PIX the remote VPN clients without NAT (no nat) when they talk to machines on the inside interface or dmz. So when the host on the dmz answers to the VPN client, it's to his real address.

Now I like to have the VPN client source adress being translated to an adress belonging to the dmz network. Is this ever possible ?

example :

PIX outside interface : W.X.Y.Z

PIX dmz interface : 10.254.0.1/16

VPN Client : 192.168.112.1/24 (address is given by a pool from the PIX)

On the dmz there is a host (10.254.31.253/16)

When 192.168.112.1 is talking to 10.254.31.253, I would like to have that:

source address 192.168.112.1 translated to 10.254.7.7 (as for example)

The host 10.254.31.253 sends back a packet to destination address 10.254.7.7 and the PIX will translate it back to 192.168.112.1

If this is possible, i would like to have an example of the config.

I've configured a lot of different scenarios, but when doing a ping from the VPN client, I always see on the PIX logs "No translation group found for icmp src outside:192.168.112.1 dst dmz2:10.254.31.253 (type 8, code 0)"

Thanks for help

1 REPLY
New Member

Re: VPN Client with NAT to a dmz

Not very sure it will work or not...

Don't do translation, 192.168.112.0/24 go into dmz as 192.168.112.0/24.

do

static (outside,dmz) 192.168.112.0 192.168.112.0 netmask 255.255.255.0

you might need access list....

Please let me know....

87
Views
0
Helpful
1
Replies