Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > NAT Question

Thread Tools

NAT Question

Posts: n/a
Here is what I am trying.
I need a device that could have 3 IP addresses, Public
(, Internal (172.17.x.x) and Private (192.0.0.x). I
need a way to create a VPN tunnel back from the Internal interface to
an office, and from the office be able to ping the 172.17.x.x and
somehow have the 192.0.0.x address respond. I just need to be
pointed in the correct direction, so any help would be appreciated.
Reply With Quote
Walter Roberson
Posts: n/a
In article <(E-Mail Removed) >,
erie <(E-Mail Removed)> wrote:
:Here is what I am trying.
:I need a device that could have 3 IP addresses, Public, Internal (172.17.x.x) and Private (192.0.0.x). I
:need a way to create a VPN tunnel back from the Internal interface to
:an office, and from the office be able to ping the 172.17.x.x and
:somehow have the 192.0.0.x address respond.

I am not sure that I understand your question, but I think a PIX
might work for you.

With any 3+ interface PIX (including PIX 510, 520, and PIX Classic),
and supported software version up to PIX 6.1, you would proceed by
making the outside interface Security 0 with IP address,
make the inside interface Security 100 with IP address 192.0.0.x (yes,
the Private address), and make the DMZ interface some Security from 1
to 99 with IP address 172.17.x.x . Connect the client link to the DMZ
interface, and connect the WAN link to the outside interface. [If your
client office has to connect via the WAN, then you would not be able to
do what you wanted until PIX 6.3(1), as PIX before that only allow you
to create a VPN tunnel to the "nearest" interface.] Create a
static (inside, dmz) 172.17.x.x 192.0.0.x
and put in an access-list/access-group [or 'conduit' if you are using
PIX 4.x] on the dmz interface that permits ping to 172.17.x.x. The
request to 172.17.x.x will be translated via the 'static' into a
request to 192.0.0.x. The configuration I describe only works when the
hidden address that has to respond is on a higher security interface
than the source interface.

You have an additional option starting with PIX 6.2, on the supported 3+
interface PIXes, the PIX 515, PIX 515E, PIX 525, or PIX 535, you can
have several interfaces. (The PIX 501, PIX 506, and PIX 506E are all
restricted to two interfaces.) Starting in PIX 6.2, you can configure
"reverse nat", which is the ability of an address to be translated
when going from a lower security interface to a higher security
interface. [Before this, addresses were only translated when the packet
when from higher security to lower.] This would allow you to switch
the roles of the inside and dmz interfaces.

PIX 6.3(1) was mentioned above because in PIX 6.3(1), it is possible,
in some circumstances, to have VPN traffic come in via the outside
interface, but for the VPN to be assigned to a higher security
interface. This would mean that in 6.3(1), you would be able to have
clients connect via the public internet (via the outside interface) and
yet still be processed as if the tunnel was to the dmz or inside
interface; this feature is mostly provided for the purpose of being
able to remotely manage a PIX that has a dhcp interface when all you
know remotely is the internal addresses and not the current dhcp
address. I wouldn't suggest counting on this feature to get the
translation that you want.
Will you ask your master if he wants to join my court at Camelot?!
Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
NAT Configuration question: verifying availability before NAT Sri Cisco 0 07-19-2005 02:13 PM
Identity Nat v Exemption NAT Kenny D Cisco 1 05-08-2004 03:11 PM
NAT exemption versus Static NAT. Where is the difference? Anonymous Poster Cisco 0 04-26-2004 04:29 AM
Attn: NAT Experts - 2611XM and NAT pool JCVD Cisco 1 02-13-2004 12:30 PM
NAT or Not to NAT; how to do an Internet connection for a 100-PC company ? Al Dykes Cisco 8 10-29-2003 12:34 AM