?
Solved

PIX and multiple Nat's question

Posted on 2005-03-13
5
Medium Priority
?
239 Views
Last Modified: 2013-11-16
Dear all,

our parent company have provided us with an ip vpn connection to their site, the PIX515 which they sent to us for this connection resides in our DMZ (10.19.0.x) and they require us to translate our inside (192.168.1.x) traffic to 10.199.0.x when going to their firewall

so i need to find the best way to NAT the traffic towords them to their preferred IP's but having the DMZ work fine because i need to move the Exchange server there next week and not affect the NATted traffic going to the outside



      outside
          |                                    
    <PIX515> - dmz - <PIX515> - IP VPN  
          |
      inside

any help or advice would be appreciated

thanks
0
Comment
Question by:kingging
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 1500 total points
ID: 13528352
You can use an access-list combined with a global and nat statement...
where: <remote IP subnet> = LAN on the other end of the VPN tunnel
This is on YOUR pix:

access-list parentvpn permit ip 192.168.1.0 255.255.255.0 <remote IP subnet> <mask>
nat (inside) 2 access-list parentvpn
global (dmz) 2 10.199.0.X


> DMZ (10.19.0.x)
> traffic to 10.199.0.x
I have to assume that one of those is a typo and that both are 10.199.0.x ? or both are 10.19.0.x?
0
 

Author Comment

by:kingging
ID: 13528386
Thanks for the reply lrmoore (once again) but no it is not a typo

does that cause issues?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13529296
Interesting....

Do you control the VPN PIX? It would be easier to nat it there..

Can you post its config?


0
 

Author Comment

by:kingging
ID: 13529579
no i dont, its a very big firm and they asked what the IP was for my DMZ so i told them 10.19.0.0 and that they could have 10.19.0.240 as ip for the firewall which they configured

then they told me to have the traffic natted to 10.199.0.0 before it gets to their firewall as they block everything else

should it work? can it work? i would argue with the parent company but they have 10 of me in every team in IT and they have a team for every possible thing (hardware purchase, hardware maintenace, hardware testing, hardware inventory and the list goes on for ever so youy would assume that the pix firewall team would know what they are talking about

so if i use the access list as mentioned before will it work or does the natting have problem with the dmz ip range?

thanks again
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13529844
The access-list will work. You're defining traffic between your private inside subnet and their ip subnet and only that traffic will be natt'ed. Traffic between your inside and the DMZ will continue to function as it is.
Typically, if I was in their shoes, I would expect to have traffic natted to the same subnet as the PIX's outside (your DMZ) subnet, not a different one.

If it doesn't work as planned, it's all on their end with routing issues and how they setup the VPN tunnel.
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month11 days, 18 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question