PIX and multiple Nat's question

Posted on 2005-03-13
Medium Priority
Last Modified: 2013-11-16
Dear all,

our parent company have provided us with an ip vpn connection to their site, the PIX515 which they sent to us for this connection resides in our DMZ (10.19.0.x) and they require us to translate our inside (192.168.1.x) traffic to 10.199.0.x when going to their firewall

so i need to find the best way to NAT the traffic towords them to their preferred IP's but having the DMZ work fine because i need to move the Exchange server there next week and not affect the NATted traffic going to the outside

    <PIX515> - dmz - <PIX515> - IP VPN  

any help or advice would be appreciated

Question by:kingging
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 79

Accepted Solution

lrmoore earned 1500 total points
ID: 13528352
You can use an access-list combined with a global and nat statement...
where: <remote IP subnet> = LAN on the other end of the VPN tunnel
This is on YOUR pix:

access-list parentvpn permit ip <remote IP subnet> <mask>
nat (inside) 2 access-list parentvpn
global (dmz) 2 10.199.0.X

> DMZ (10.19.0.x)
> traffic to 10.199.0.x
I have to assume that one of those is a typo and that both are 10.199.0.x ? or both are 10.19.0.x?

Author Comment

ID: 13528386
Thanks for the reply lrmoore (once again) but no it is not a typo

does that cause issues?
LVL 79

Expert Comment

ID: 13529296

Do you control the VPN PIX? It would be easier to nat it there..

Can you post its config?


Author Comment

ID: 13529579
no i dont, its a very big firm and they asked what the IP was for my DMZ so i told them and that they could have as ip for the firewall which they configured

then they told me to have the traffic natted to before it gets to their firewall as they block everything else

should it work? can it work? i would argue with the parent company but they have 10 of me in every team in IT and they have a team for every possible thing (hardware purchase, hardware maintenace, hardware testing, hardware inventory and the list goes on for ever so youy would assume that the pix firewall team would know what they are talking about

so if i use the access list as mentioned before will it work or does the natting have problem with the dmz ip range?

thanks again
LVL 79

Expert Comment

ID: 13529844
The access-list will work. You're defining traffic between your private inside subnet and their ip subnet and only that traffic will be natt'ed. Traffic between your inside and the DMZ will continue to function as it is.
Typically, if I was in their shoes, I would expect to have traffic natted to the same subnet as the PIX's outside (your DMZ) subnet, not a different one.

If it doesn't work as planned, it's all on their end with routing issues and how they setup the VPN tunnel.

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month11 days, 18 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question