topic Re: Question regarding a use of static in Network Security

Question regarding a use of static

azore2007 — Mon, 11 Mar 2019 11:49:49 GMT

Situation:

I have a VPN connection to another company where they get connection to the following hosts

192.168.14.2

192.168.14.3

Now, I have another company that needs access to these hosts also, but they have the same IP-range in use in their network. So I'm gonna use static and put my two hosts on my DMZ1 which has public IP's instead.

static (inside,dmz1) 111.111.111.111 192.168.14.2

static (inside,dmz1) 111.111.111.112 192.168.14.2

This will put both my hosts in global "mode" in the firewall..

Question is, will this break my old VPN tunnel to the other company? If they try to reach 192.168.14.2, will the firewall stop them or something? Or will it also work?

Thank you

Re: Question regarding a use of static

michelcaissie — Thu, 17 Jan 2008 21:42:15 GMT

It can work without problems ;

Since your "nat (inside) 0" have precedence over the static statement, traffic for the first tunnel will be nonated , routed on your outside or dmz1 interface where it will trigger the crypto engine.

Traffic for the 2nd tunnel will get nated , then routed on your dmz1 interface where it will trigger the crypto engine.

One thing to check is that your crypto-acl for the second tunnel must use the translated addresses as the source. Remember that the natting occurs before the crypting.

Also, i don't have your complete config , but if the default gateway oy your PIX is on the outside interface , you will need 2 routes on your dmz1 interface. One for the VPN peer IP , and also one for the peer internal subnet.

Re: Question regarding a use of static

azore2007 — Fri, 18 Jan 2008 10:40:24 GMT

Thanks, that helped.