Solved

NAT over VPN pool

Posted on 2004-10-11
6
196 Views
Last Modified: 2013-11-16
Oks, this is what I want to do but I doubt it's possible.

Just a plain static from the outside interface to the inside interface.
However, this applies to the vpn pool. The initiator of the communication is
going to be a VPN client.

For eg: the physical web server is on the pix inside network and the
server's IP is 10.1.1.80

I want to use a static which would look something like this:
static (inside,outside) 172.16.33.80 10.1.1.80
Hence, if a VPN client tries to access 172.16.33.80, it would be redirected
to 10.1.1.80
0
Comment
Question by:billwharton
  • 3
  • 3
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12281143
Hi, Bill!
Can I assume that your VPN client is getting dns resolution for www.zzzz.com as 172.16.33.80, which you have forwarded to inside server 10.1.1.80, and you can't change the DNS combobulation?
Alias command fixes this for internal uses, but I've neer seen it used for VPN clients, but it might work..
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

0
 
LVL 11

Author Comment

by:billwharton
ID: 12282243
lrmoore

i think I really messed up the question. Here you go again:

VPN client ------ Internet ------- PIX -------- LAN

PIX inside: 10.1.1.1
PIX outside: 150.12.1.1


A VPN software client establishes a vpn connection to 150.12.1.1 and receives an IP address of 11.1.1.15 from the vpn pool defined on the PIX which is 11.1.1.1.

Now, during the VPN session, if the VPN client tries to connect to an IP address of 172.16.33.80, the PIX should translate this destination to destination IP: 10.1.1.80

It's just like static NAT excepting I'm trying to do it within the boundaries of a VPN tunnel.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12282273
I don't think you can do that...maybe I'm missing the point, but why can't the client just go directly to the destination 10.1.1.80, why would he even try to go to 172.16.33.80 ?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 11

Author Comment

by:billwharton
ID: 12282308
it's all part of another garbled problem i am trying to solve.

I'm in my office and they've restricted all websites. I always have my vpn tunnel to home up and running and could run a terminal services session but images load up very slow and of course video ain't possible.

Hence, I thought I could use my server at home as a NAT server. A proxy wouldn't do as every other protocol needs you to set up a proxy for it. This is how I started to implement the plan.

Get rid of the default gateway the office DHCP server provided me and only add a single route to my home IP address to go through the office gateway. Once connected, I have to add a default route and a default route should have it's next hop on the same network. Now, since my vpn pool assigned me an IP address of 11.1.1.15, I tried doing a static nat to translate 11.1.1.80 to 10.1.1.80 (nat server)
But that didn't work.

You're probably saying I'm getting crazy over something small which is true. However, even if I can't do it, it was quite a bit of learning involved in the process which cannot hurt :)
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12282409
I do think you're crazy, but it does afford a good learning experience..
Trying to cheat the system, are we?
You don't control the network at work
You do have a VPN back to home network (PIX)
You want to use home server as a sort of anonymous proxy, "through" the vpn tunnel?
Can't do it anyway.
0
 
LVL 11

Author Comment

by:billwharton
ID: 12282450
after your summary, i've started thinking of myself as even crazier. It's like each step of the way, I've tried to achieve something but put a road block in front of it.

lol

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now