We have 2 firewalls in our network. The internal firewall is a FWSM with inside and outside interface and all the NAT is performed on the FWSM. The DMZ exists on the external firewall. DMZ uses all public addresses.
I am in the process of putting a VPN concentrator on the DMZ for remote access. The address pool for VPN clients will also be a public IP which is carved out of the DMZ subnet. The VPN clients need to access several 10-net private IP servers and it is not possible to do a static NAT.
When clients VPN in, they have to be able to access the 10-net servers. But FWSM NATs all 10-net traffic and so the 10-net does not exist beyond the FWSM.
How can I manipulate NAT and routing so that I can access the 10-net servers?
Any help would be appreciated.
What's the FWSM config / NAT config for 10-net looks like?
Depending on thr config, you may or may not be able to do that. Need to have a look at the FWSM's config first.
The current NAT on the FWSM is as follows
All 10-net addresses are NATed to public address where some are static NAT, some are dynamic NAT and some are PAT.
Dynamic NAT has x.x.216.31 through 250 and
x.x.217.31 thru 250. All port 80 and 443 traffic from 10-net gets a PAT address of x.x.216.251 or x.x.217.251. We also have x.x.216.252 through 254 for PAT for non-web port traffic.
So, here is my NAT config
nat (inside) 1 access-list Web_Outbound
nat (inside) 2 10.0.0.0 255.0.0.0
global (outside) 1 x.x.216.251
global (outside) 1 x.x.217.251
global (outside) 2 x.x.216.31-x.x.216.250
global (outside) 2 x.x.217.31-x.x.217.250
global (outside) 2 x.x.216.252
global (outside) 2 x.x.216.253
global (outside) 2 x.x.216.254
access-list Web_Outbound permit tcp 10.0.0.0 255.0.0.0 any eq 80
access-list Web_Outbound permit tcp 10.0.0.0 255.0.0.0 any eq 443