Configuring an inside nat group on inside interface

Discussion in 'Cisco' started by jaalcock, Apr 10, 2006.

  1. jaalcock

    jaalcock Guest

    Here is an interesting problem.. I am missing something very simple.

    I have a pix that I want to setup as a vpn server. I am using the easy
    client software. I have a pool of ip addresses. This is a pool that I
    picked out of the blue not in use, I have no problem
    getting the remote client to authenticate and get an ip address from
    the pix in this range.

    I do not have any control of the internal router, The
    inside interface has an ip address on the inside network,
    and I have confirmed connectivity. If I put in the correct routes, I
    can ping from the pix to anywhere without any problems.

    Here is what I need to do though. I need to have the
    network natted on the inside. That way, when I get an ip address from
    this pool and try to ping from a client computer with a 192.168.254
    address, as far as the inside is concerned, I am coming from a address and not a address.

    Can it be done?
    jaalcock, Apr 10, 2006
    1. Advertisements

  2. Turn the PIX backwards, attach the VPN to the "inside" interface,
    connect that to the internet, put on its outside interface,
    connect that to the LAN, turn off nat 0 access-list for the VPN.
    Packets accepted on the inside interface VPN will have their
    source address PAT'd as they go out the outside interface into the LAN .

    You could possibly accomplish the same thing using reverse NAT,
    with a "nat (outside)" and "global (inside)" pair, but I'm not positive
    it can be done that way -- it depends on whether the PIX will proxy arp
    on the inside interface on behalf of reverse-NAT'd IPs. Usually routing
    is checked before NAT, and you have a problem because the PIX will
    notice that the destination is in the same network as the inside
    interface and so will drop the packets. You -might- be able to
    get around that by putting in static routes for the individual 172.16/16
    IPs that you want to front the VPN users under.
    Walter Roberson, Apr 10, 2006
    1. Advertisements

  3. jaalcock

    jaalcock Guest

    hmmm.. i am not sure how I would begin to do that.

    Internal Lan - --- Inside Pix Outside Pix ---

    --- (Pool of IP addresses)

    I need to basically nat to look like it is coming out

    jaalcock, Apr 11, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.