the customer is trying to avoid all routing on his own network, therefore he hides all outgoing traffic behind 192.168.1.254, which is drectly connected to

his own firewall. If he has a source address of 192.168.1.254 and a destination address of 192.168.1.11, then he has no need to apply any routing because it is all directly connected.

This means that FW2 has all the work to do.   He has to take the address of 192.168.1.11 on the outside and NAT it to 10.50.1.11 on the inside.

The server they are trying to connect to on the other side of the MPLS cloud is 172.16.1.1 is only allowed to accept a source address of 10.50.1.11

Basically the customer wants to connect to 172.16.1.1, source address 10.50.1.11 (NAT from 192.168.1.11)

Hope that helps

Many thanks for taking the time to look at this problem

Keith

Sorry, but isn't it easier to PAT all traffic from source 10.1.1.0/24 destined for 172.16.1.1 directly to 10.50.1.11?

I don't quite understand why you have to triple NAT the traffic from 10.1.1.0/24?

At the moment, if I understand you, you are trying to:

PAT from 10.1.1.0/24 to 192.168.1.254 then somehow NAT again to 192.168.1.11 and again to 10.50.1.11

Why not PAT directly from 10.1.1.0/24 to 10.50.1.11?

Yes, you are right of course, unfortunately, both customers have the same network ranges, so therefore we have to NAT to an address that is acceptable to both. The customer uses the transition network of 192.168.1.0/24 for all external connections.

You definitely can't NAT to FW1 outside interface (192.168.1.254) then NAT it again within the same network to 192.168.1.11.

You can NAT it directly to 192.168.1.11 on FW1 and then NAT it to 10.50.1.11 on FW2.

FW1:

access-list nat-to-server permit ip 10.1.1.0 255.255.255.0 host 172.16.1.1

nat (inside) 1 access-list nat-to-server

global (outside) 1 192.168.1.11

FW2:

static (outside,inside) 10.50.1.11 192.168.1.11 netmask 255.255.255.255

You would need to configure the ACL accordingly, and also "clear xlate" on both FW aftre the above. I believe it should work.

unfortunately, I have no control over the configuration on FW1, this device belongs to the customer. I only have control over FW2.  When I observe traffic on FW 2, I can see a source address of 192.168.1 254 and a destination of 192.168.1.11 but no translation to 10.50.1.11 at all.

I tried policy NAT with the following statement

access-list outside_nat_outbound line 1 extended permit ip 192.168.1.11 host 172.16.1.1

!

nat (outside) 1 access-list outside_nat_outbound

!

global (Inside) 1 10.50.1.11 netmask 255.255.255.255

but this didn't appear to work either.

many thanks for you assistance with this issue.

many thanks for the information, I have now solved the issue - the fix being extremely similar to your recommendation except I used a static policy NAT.  Your input has been extremely beneficial in helping me resolve the problem. Thank you for taking the time to  look at this for me.

regards

Keith Newbould  |  Lead Technical Specialist - Networks | Technical & Resolver Group | UK Service Operations | BT Global Services |

This electronic message contains information from British Telecommunications plc which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email ( to the numbers or address above) immediately.

Activity and use of the British Telecommunications plc e-mail system is monitored to secure its effective operation and for other lawful business purposes. Communications using this system will also be monitored and may be recorded to secure effective operation and for other lawful business purposes.

British Telecommunications plc. Registered office:81 Newgate Street London EC1A 7AJ. Registered in England no 1800000

Great to hear, Keith. Thanks for the ratings.