«

Here is what I am trying.
I need a device that could have 3 IP addresses, Public
(12.225.113.xxx), Internal (172.17.x.x) and Private (192.0.0.x). I
need a way to create a VPN tunnel back from the Internal interface to
an office, and from the office be able to ping the 172.17.x.x and
somehow have the 192.0.0.x address respond. I just need to be
pointed in the correct direction, so any help would be appreciated.

In article < >,
erie <> wrote:
:Here is what I am trying.
:I need a device that could have 3 IP addresses, Public
12.225.113.xxx), Internal (172.17.x.x) and Private (192.0.0.x). I
:need a way to create a VPN tunnel back from the Internal interface to
:an office, and from the office be able to ping the 172.17.x.x and
:somehow have the 192.0.0.x address respond.

I am not sure that I understand your question, but I think a PIX
might work for you.

With any 3+ interface PIX (including PIX 510, 520, and PIX Classic),
and supported software version up to PIX 6.1, you would proceed by
making the outside interface Security 0 with IP address 12.225.113.xxx,
make the inside interface Security 100 with IP address 192.0.0.x (yes,
the Private address), and make the DMZ interface some Security from 1
to 99 with IP address 172.17.x.x . Connect the client link to the DMZ
interface, and connect the WAN link to the outside interface. [If your
client office has to connect via the WAN, then you would not be able to
do what you wanted until PIX 6.3(1), as PIX before that only allow you
to create a VPN tunnel to the "nearest" interface.] Create a
static (inside, dmz) 172.17.x.x 192.0.0.x
and put in an access-list/access-group [or 'conduit' if you are using
PIX 4.x] on the dmz interface that permits ping to 172.17.x.x. The
request to 172.17.x.x will be translated via the 'static' into a
request to 192.0.0.x. The configuration I describe only works when the
hidden address that has to respond is on a higher security interface
than the source interface.

You have an additional option starting with PIX 6.2, on the supported 3+
interface PIXes, the PIX 515, PIX 515E, PIX 525, or PIX 535, you can
have several interfaces. (The PIX 501, PIX 506, and PIX 506E are all
restricted to two interfaces.) Starting in PIX 6.2, you can configure
"reverse nat", which is the ability of an address to be translated
when going from a lower security interface to a higher security
interface. [Before this, addresses were only translated when the packet
when from higher security to lower.] This would allow you to switch
the roles of the inside and dmz interfaces.


PIX 6.3(1) was mentioned above because in PIX 6.3(1), it is possible,
in some circumstances, to have VPN traffic come in via the outside
interface, but for the VPN to be assigned to a higher security
interface. This would mean that in 6.3(1), you would be able to have
clients connect via the public internet (via the outside interface) and
yet still be processed as if the tunnel was to the dmz or inside
interface; this feature is mostly provided for the purpose of being
able to remotely manage a PIX that has a dhcp interface when all you
know remotely is the internal addresses and not the current dhcp
address. I wouldn't suggest counting on this feature to get the
translation that you want.
--
Will you ask your master if he wants to join my court at Camelot?!