[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 205
  • Last Modified:

NAT over VPN pool

Oks, this is what I want to do but I doubt it's possible.

Just a plain static from the outside interface to the inside interface.
However, this applies to the vpn pool. The initiator of the communication is
going to be a VPN client.

For eg: the physical web server is on the pix inside network and the
server's IP is 10.1.1.80

I want to use a static which would look something like this:
static (inside,outside) 172.16.33.80 10.1.1.80
Hence, if a VPN client tries to access 172.16.33.80, it would be redirected
to 10.1.1.80
0
billwharton
Asked:
billwharton
  • 3
  • 3
1 Solution
 
lrmooreCommented:
Hi, Bill!
Can I assume that your VPN client is getting dns resolution for www.zzzz.com as 172.16.33.80, which you have forwarded to inside server 10.1.1.80, and you can't change the DNS combobulation?
Alias command fixes this for internal uses, but I've neer seen it used for VPN clients, but it might work..
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

0
 
billwhartonAuthor Commented:
lrmoore

i think I really messed up the question. Here you go again:

VPN client ------ Internet ------- PIX -------- LAN

PIX inside: 10.1.1.1
PIX outside: 150.12.1.1


A VPN software client establishes a vpn connection to 150.12.1.1 and receives an IP address of 11.1.1.15 from the vpn pool defined on the PIX which is 11.1.1.1.

Now, during the VPN session, if the VPN client tries to connect to an IP address of 172.16.33.80, the PIX should translate this destination to destination IP: 10.1.1.80

It's just like static NAT excepting I'm trying to do it within the boundaries of a VPN tunnel.
0
 
lrmooreCommented:
I don't think you can do that...maybe I'm missing the point, but why can't the client just go directly to the destination 10.1.1.80, why would he even try to go to 172.16.33.80 ?
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
billwhartonAuthor Commented:
it's all part of another garbled problem i am trying to solve.

I'm in my office and they've restricted all websites. I always have my vpn tunnel to home up and running and could run a terminal services session but images load up very slow and of course video ain't possible.

Hence, I thought I could use my server at home as a NAT server. A proxy wouldn't do as every other protocol needs you to set up a proxy for it. This is how I started to implement the plan.

Get rid of the default gateway the office DHCP server provided me and only add a single route to my home IP address to go through the office gateway. Once connected, I have to add a default route and a default route should have it's next hop on the same network. Now, since my vpn pool assigned me an IP address of 11.1.1.15, I tried doing a static nat to translate 11.1.1.80 to 10.1.1.80 (nat server)
But that didn't work.

You're probably saying I'm getting crazy over something small which is true. However, even if I can't do it, it was quite a bit of learning involved in the process which cannot hurt :)
0
 
lrmooreCommented:
I do think you're crazy, but it does afford a good learning experience..
Trying to cheat the system, are we?
You don't control the network at work
You do have a VPN back to home network (PIX)
You want to use home server as a sort of anonymous proxy, "through" the vpn tunnel?
Can't do it anyway.
0
 
billwhartonAuthor Commented:
after your summary, i've started thinking of myself as even crazier. It's like each step of the way, I've tried to achieve something but put a road block in front of it.

lol

0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now