Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Configuring an inside nat group on inside interface

Reply
Thread Tools

Configuring an inside nat group on inside interface

 
 
jaalcock@gmail.com
Guest
Posts: n/a
 
      04-10-2006
Here is an interesting problem.. I am missing something very simple.

I have a pix that I want to setup as a vpn server. I am using the easy
client software. I have a pool of ip addresses. This is a pool that I
picked out of the blue not in use, 192.168.254.0/24. I have no problem
getting the remote client to authenticate and get an ip address from
the pix in this range.

I do not have any control of the internal router, 172.16.0.1. The
inside interface has an ip address on the inside network, 172.16.0.2
and I have confirmed connectivity. If I put in the correct routes, I
can ping from the pix to anywhere without any problems.

Here is what I need to do though. I need to have the 192.168.254.0
network natted on the inside. That way, when I get an ip address from
this pool and try to ping from a client computer with a 192.168.254
address, as far as the inside is concerned, I am coming from a
172.16.0.0 address and not a 192.168.254.0 address.

Can it be done?

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      04-10-2006
In article <(E-Mail Removed). com>,
<(E-Mail Removed)> wrote:
>I have a pix that I want to setup as a vpn server.


>Here is what I need to do though. I need to have the 192.168.254.0
>network natted on the inside. That way, when I get an ip address from
>this pool and try to ping from a client computer with a 192.168.254
>address, as far as the inside is concerned, I am coming from a
>172.16.0.0 address and not a 192.168.254.0 address.


>Can it be done?


Turn the PIX backwards, attach the VPN to the "inside" interface,
connect that to the internet, put 172.16.0.0 on its outside interface,
connect that to the LAN, turn off nat 0 access-list for the VPN.
Packets accepted on the inside interface VPN will have their
source address PAT'd as they go out the outside interface into the LAN .


You could possibly accomplish the same thing using reverse NAT,
with a "nat (outside)" and "global (inside)" pair, but I'm not positive
it can be done that way -- it depends on whether the PIX will proxy arp
on the inside interface on behalf of reverse-NAT'd IPs. Usually routing
is checked before NAT, and you have a problem because the PIX will
notice that the destination is in the same network as the inside
interface and so will drop the packets. You -might- be able to
get around that by putting in static routes for the individual 172.16/16
IPs that you want to front the VPN users under.
 
Reply With Quote
 
 
 
 
jaalcock@gmail.com
Guest
Posts: n/a
 
      04-11-2006
hmmm.. i am not sure how I would begin to do that.


Internal Lan - 172.16.0.1 --- 172.16.0.2 Inside Pix Outside Pix ---
24.1.1.1
|
|

---192.168.254.0 (Pool of IP addresses)

I need to basically nat 192.168.254.0/24 to look like it is coming out
of 172.16.0.2

John

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Configuring IPSEC tunnel through the firewall with dynamic NAT djoe Cisco 0 05-31-2007 03:39 PM
Please Help : Very Urgent : Configuring NAT on a CISCO Router Mohamed Cisco 5 12-27-2006 02:27 PM
static nat between phisical interface and virtual interface on same ethernet Andrea Cisco 0 04-19-2004 09:37 AM
ip nat inside on two interface ? mcaissie Cisco 1 11-18-2003 11:27 PM
configuring pat nat pool Bill F Cisco 1 10-30-2003 10:48 PM



Advertisments