DMZ interface with a private network (192.168.250.0/24) with some server configured static NATs to be accessible from the outside.
Outside interface with public IPs
I have to establish a lan-to-lan tunnel with a customer so he can access our DMZ. Our problem, is that the customer has our same private network. I'm trying to solve this problem with policy NAT. However, I can reach the customer DMZ while the customer is unable to reach our DMZ. In the past I solved this problem with route-maps on Cisco routers. Is it possible to solve this scenario with a PIX without modifying our network? How?
When you say you can each his DMZ do you mean you can establish full connectivity ?
It's a little confusing. If your source addresses are in the same range as the customer network then you hsould not be able to get to them. Couple of questions
1) Are you establishing connectivity from your DMZ to the other DMZ.
2) If you are what are the source IP addresses.
If they are in the 192.168.250.x range then this shouldn't work even from your DMZ to theirs. If they are using their Natted public IP address when they connect then just point the customer to the public IP addresses assuming they want to get to the same servers.
Policy NAT won't really help here. If the source IP address is 192.168.250.10 for example and this packet goes to the customer device when the server at the other end tries to respond it believes that the 192.168.250.10 machines is on the local network.
Yes, I can reach without any problem the customer DMZ doing policy NAT.
I change my DMZ network for a different private network doing policy NAT, for example to 192.168.20.x. However, the traffic initiated by the customer doesn't reach my DMZ because the policy NAT only works for outgoing traffic.
You need to present your 192.168.250.x addresses that the customer wants to reach as different addresses to the customer or it will never work.
In answer to your question, yes you can do the NAT on just your end. You just need to make sure that whatever addresses you choose do not conflict with any at the customer site.
But unfortunately the customer will have to update their IPSEC settings. So for example say the customer wanted access to 192.168.250.10/11/12 at your end. Lets say you present these as 172.16.250.10/11/12 to the customer. They will still have to modofy their IPSEC settings that defines the interesting traffic, in cisco terms the crypto access-lists. And you would need to modify yours as well to reflect the new 172.16.250.x addresses.
If you are already natting the 192.168.250.x addresses then as long as they don't conflict with any customer addresses you can use these.
Yes, it makes sense. As I said I'm already doing it. I'm policy natting my network to reach the customer (the IPsec is properly configured) and I can reach the customer. However, when the customer initiates the traffic the NAT doesn't work and I don't know how to do it. My NAT configuration is something like:
access-list CUST1_NAT permit ip host 192.168.250.42 host 192.168.0.0 255.255.255.0
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...