Configuring an inside nat group on inside interface

Discussion in 'Cisco' started by jaalcock@gmail.com, Apr 10, 2006.

  1. Guest

    Here is an interesting problem.. I am missing something very simple.

    I have a pix that I want to setup as a vpn server. I am using the easy
    client software. I have a pool of ip addresses. This is a pool that I
    picked out of the blue not in use, 192.168.254.0/24. I have no problem
    getting the remote client to authenticate and get an ip address from
    the pix in this range.

    I do not have any control of the internal router, 172.16.0.1. The
    inside interface has an ip address on the inside network, 172.16.0.2
    and I have confirmed connectivity. If I put in the correct routes, I
    can ping from the pix to anywhere without any problems.

    Here is what I need to do though. I need to have the 192.168.254.0
    network natted on the inside. That way, when I get an ip address from
    this pool and try to ping from a client computer with a 192.168.254
    address, as far as the inside is concerned, I am coming from a
    172.16.0.0 address and not a 192.168.254.0 address.

    Can it be done?
    , Apr 10, 2006
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    >I have a pix that I want to setup as a vpn server.


    >Here is what I need to do though. I need to have the 192.168.254.0
    >network natted on the inside. That way, when I get an ip address from
    >this pool and try to ping from a client computer with a 192.168.254
    >address, as far as the inside is concerned, I am coming from a
    >172.16.0.0 address and not a 192.168.254.0 address.


    >Can it be done?


    Turn the PIX backwards, attach the VPN to the "inside" interface,
    connect that to the internet, put 172.16.0.0 on its outside interface,
    connect that to the LAN, turn off nat 0 access-list for the VPN.
    Packets accepted on the inside interface VPN will have their
    source address PAT'd as they go out the outside interface into the LAN .


    You could possibly accomplish the same thing using reverse NAT,
    with a "nat (outside)" and "global (inside)" pair, but I'm not positive
    it can be done that way -- it depends on whether the PIX will proxy arp
    on the inside interface on behalf of reverse-NAT'd IPs. Usually routing
    is checked before NAT, and you have a problem because the PIX will
    notice that the destination is in the same network as the inside
    interface and so will drop the packets. You -might- be able to
    get around that by putting in static routes for the individual 172.16/16
    IPs that you want to front the VPN users under.
    Walter Roberson, Apr 10, 2006
    #2
    1. Advertising

  3. Guest

    hmmm.. i am not sure how I would begin to do that.


    Internal Lan - 172.16.0.1 --- 172.16.0.2 Inside Pix Outside Pix ---
    24.1.1.1
    |
    |

    ---192.168.254.0 (Pool of IP addresses)

    I need to basically nat 192.168.254.0/24 to look like it is coming out
    of 172.16.0.2

    John
    , Apr 11, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page