• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 240
  • Last Modified:

PIX and multiple Nat's question

Dear all,

our parent company have provided us with an ip vpn connection to their site, the PIX515 which they sent to us for this connection resides in our DMZ (10.19.0.x) and they require us to translate our inside (192.168.1.x) traffic to 10.199.0.x when going to their firewall

so i need to find the best way to NAT the traffic towords them to their preferred IP's but having the DMZ work fine because i need to move the Exchange server there next week and not affect the NATted traffic going to the outside



      outside
          |                                    
    <PIX515> - dmz - <PIX515> - IP VPN  
          |
      inside

any help or advice would be appreciated

thanks
0
kingging
Asked:
kingging
  • 3
  • 2
1 Solution
 
lrmooreCommented:
You can use an access-list combined with a global and nat statement...
where: <remote IP subnet> = LAN on the other end of the VPN tunnel
This is on YOUR pix:

access-list parentvpn permit ip 192.168.1.0 255.255.255.0 <remote IP subnet> <mask>
nat (inside) 2 access-list parentvpn
global (dmz) 2 10.199.0.X


> DMZ (10.19.0.x)
> traffic to 10.199.0.x
I have to assume that one of those is a typo and that both are 10.199.0.x ? or both are 10.19.0.x?
0
 
kinggingAuthor Commented:
Thanks for the reply lrmoore (once again) but no it is not a typo

does that cause issues?
0
 
lrmooreCommented:
Interesting....

Do you control the VPN PIX? It would be easier to nat it there..

Can you post its config?


0
 
kinggingAuthor Commented:
no i dont, its a very big firm and they asked what the IP was for my DMZ so i told them 10.19.0.0 and that they could have 10.19.0.240 as ip for the firewall which they configured

then they told me to have the traffic natted to 10.199.0.0 before it gets to their firewall as they block everything else

should it work? can it work? i would argue with the parent company but they have 10 of me in every team in IT and they have a team for every possible thing (hardware purchase, hardware maintenace, hardware testing, hardware inventory and the list goes on for ever so youy would assume that the pix firewall team would know what they are talking about

so if i use the access list as mentioned before will it work or does the natting have problem with the dmz ip range?

thanks again
0
 
lrmooreCommented:
The access-list will work. You're defining traffic between your private inside subnet and their ip subnet and only that traffic will be natt'ed. Traffic between your inside and the DMZ will continue to function as it is.
Typically, if I was in their shoes, I would expect to have traffic natted to the same subnet as the PIX's outside (your DMZ) subnet, not a different one.

If it doesn't work as planned, it's all on their end with routing issues and how they setup the VPN tunnel.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now