NAT Question

Discussion in 'Cisco' started by erie, Jul 8, 2003.

  1. erie

    erie Guest

    Here is what I am trying.
    I need a device that could have 3 IP addresses, Public
    (12.225.113.xxx), Internal (172.17.x.x) and Private (192.0.0.x). I
    need a way to create a VPN tunnel back from the Internal interface to
    an office, and from the office be able to ping the 172.17.x.x and
    somehow have the 192.0.0.x address respond. I just need to be
    pointed in the correct direction, so any help would be appreciated.
    erie, Jul 8, 2003
    #1
    1. Advertising

  2. In article <>,
    erie <> wrote:
    :Here is what I am trying.
    :I need a device that could have 3 IP addresses, Public
    :(12.225.113.xxx), Internal (172.17.x.x) and Private (192.0.0.x). I
    :need a way to create a VPN tunnel back from the Internal interface to
    :an office, and from the office be able to ping the 172.17.x.x and
    :somehow have the 192.0.0.x address respond.

    I am not sure that I understand your question, but I think a PIX
    might work for you.

    With any 3+ interface PIX (including PIX 510, 520, and PIX Classic),
    and supported software version up to PIX 6.1, you would proceed by
    making the outside interface Security 0 with IP address 12.225.113.xxx,
    make the inside interface Security 100 with IP address 192.0.0.x (yes,
    the Private address), and make the DMZ interface some Security from 1
    to 99 with IP address 172.17.x.x . Connect the client link to the DMZ
    interface, and connect the WAN link to the outside interface. [If your
    client office has to connect via the WAN, then you would not be able to
    do what you wanted until PIX 6.3(1), as PIX before that only allow you
    to create a VPN tunnel to the "nearest" interface.] Create a
    static (inside, dmz) 172.17.x.x 192.0.0.x
    and put in an access-list/access-group [or 'conduit' if you are using
    PIX 4.x] on the dmz interface that permits ping to 172.17.x.x. The
    request to 172.17.x.x will be translated via the 'static' into a
    request to 192.0.0.x. The configuration I describe only works when the
    hidden address that has to respond is on a higher security interface
    than the source interface.

    You have an additional option starting with PIX 6.2, on the supported 3+
    interface PIXes, the PIX 515, PIX 515E, PIX 525, or PIX 535, you can
    have several interfaces. (The PIX 501, PIX 506, and PIX 506E are all
    restricted to two interfaces.) Starting in PIX 6.2, you can configure
    "reverse nat", which is the ability of an address to be translated
    when going from a lower security interface to a higher security
    interface. [Before this, addresses were only translated when the packet
    when from higher security to lower.] This would allow you to switch
    the roles of the inside and dmz interfaces.


    PIX 6.3(1) was mentioned above because in PIX 6.3(1), it is possible,
    in some circumstances, to have VPN traffic come in via the outside
    interface, but for the VPN to be assigned to a higher security
    interface. This would mean that in 6.3(1), you would be able to have
    clients connect via the public internet (via the outside interface) and
    yet still be processed as if the tunnel was to the dmz or inside
    interface; this feature is mostly provided for the purpose of being
    able to remotely manage a PIX that has a dhcp interface when all you
    know remotely is the internal addresses and not the current dhcp
    address. I wouldn't suggest counting on this feature to get the
    translation that you want.
    --
    Will you ask your master if he wants to join my court at Camelot?!
    Walter Roberson, Jul 8, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Al Dykes
    Replies:
    8
    Views:
    582
    Walter Roberson
    Oct 29, 2003
  2. JCVD
    Replies:
    1
    Views:
    452
    Martin Gallagher
    Feb 13, 2004
  3. Anonymous Poster
    Replies:
    0
    Views:
    10,593
    Anonymous Poster
    Apr 26, 2004
  4. Kenny D

    Identity Nat v Exemption NAT

    Kenny D, May 8, 2004, in forum: Cisco
    Replies:
    1
    Views:
    3,979
    Walter Roberson
    May 8, 2004
  5. Sri
    Replies:
    0
    Views:
    457
Loading...

Share This Page