Link to home
Start Free TrialLog in
Avatar of lowridergvg
lowridergvgFlag for United States of America

asked on

PIX 515 DNAT Question

Ladies, and Gentlemen,

I have a situation:

Cisco PIX 515 serving as Internet firewall at a central site for 5 branch offices.

10.1.1.0
10.1.2.0
10.1.3.0
10.1.4.0
10.1.5.0

All are /24 subnets

One machine in each subnet needs to communicate through VPN to a service provider at 10.90.1.12
This is accomplished by source NAT from each subnet machine to  DMZ interface to a another VPN (Cisco) device.

10.1.1.200 becomes 192.168.254.12
10.1.2.200 becomes 192.168.254.13
10.1.3.200 becomes 192.168.254.14
10.1.4.200 becomes 192.168.254.15
10.1.5.200 becomes 192.168.254.16

This is all working in a production environment.

Problem:
New network provider for new Branch.

New Branch network provider is Site-to Site VPN over outside interface. (Internet).

Destination address (Interesting Traffic) 10.90.1.12 (our destination for the application) on our side or more at issue is 10.90.0.0/16
conflicts with their (Network Provider) internal network.  

Mitigation:  

I instructed them to program their equipment to send to 172.16.1.1 and I would dNAT the destination to 10.90.1.12.

I need to NAT the Destination address of the packet that is coming into the PIX via a tunnel on the outside interface.

the packet has a destination of 172.16.1.1 and i need to send it to 10.90.1.12 on the DMZ interface.

HELP!  

I have 27 hours into trying to do this.  I have 3 hairs left to pull.  Destination NAT after/on VPN....

Thank you in advance,

Merry Weekend  :)





ASKER CERTIFIED SOLUTION
Avatar of SkykingOH
SkykingOH
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of lowridergvg

ASKER

SkykingOH

Thank you for your timely response.  I apologize for not responding earlier.

Your response will be helpful.  

I will look at my configuration.  I may need to post a "vanilla" version of my configuration file.  I think it is referred to now as "Sanitized".

The sequence says it all..

I will get back to you after the Holiday.

Happy Weekend :)



   
The only thing you need to sanitize is public IP's, passwords (even encrypted ones) and encryption keys.
SkykingOH is spot on.

#2 of the answer was the problem.  Static NAT.  
Someone (who shall remain nameless to protect the guilty) did not NAT the outside interface to the inside DMZ address.  Thank you so much for setting me back and making me look at it from the beginning to end.

I am waiting for the final confirm, but I believe the link is up and passing traffic.
Good exercise to go back to the "duh" on my part.  Great to know other pro's develop "brainlock"  A fresh set of eyes, or just someone telling you what you already know will shake the "brainlock" out the problem.
Very red faced, about my last comment, is there a close rock to crawl under?
It was supposed to say:
Good exercise to go back to the "duh" on my part.  Great to know other pro's recognize "brainlock"  A fresh set of eyes, or just someone telling you what you already know will shake the "brainlock" out the problem.