11-21-2006 03:31 PM - last edited on 03-25-2019 05:36 PM by ciscomoderator
Hi all,
We have 2 firewalls in our network. The internal firewall is a FWSM with inside and outside interface and all the NAT is performed on the FWSM. The DMZ exists on the external firewall. DMZ uses all public addresses.
I am in the process of putting a VPN concentrator on the DMZ for remote access. The address pool for VPN clients will also be a public IP which is carved out of the DMZ subnet. The VPN clients need to access several 10-net private IP servers and it is not possible to do a static NAT.
When clients VPN in, they have to be able to access the 10-net servers. But FWSM NATs all 10-net traffic and so the 10-net does not exist beyond the FWSM.
How can I manipulate NAT and routing so that I can access the 10-net servers?
Any help would be appreciated.
11-22-2006 03:53 PM
What's the FWSM config / NAT config for 10-net looks like?
Depending on thr config, you may or may not be able to do that. Need to have a look at the FWSM's config first.
HTH
AK
11-22-2006 08:40 PM
The current NAT on the FWSM is as follows
All 10-net addresses are NATed to public address where some are static NAT, some are dynamic NAT and some are PAT.
Dynamic NAT has x.x.216.31 through 250 and
x.x.217.31 thru 250. All port 80 and 443 traffic from 10-net gets a PAT address of x.x.216.251 or x.x.217.251. We also have x.x.216.252 through 254 for PAT for non-web port traffic.
So, here is my NAT config
nat (inside) 1 access-list Web_Outbound
nat (inside) 2 10.0.0.0 255.0.0.0
global (outside) 1 x.x.216.251
global (outside) 1 x.x.217.251
global (outside) 2 x.x.216.31-x.x.216.250
global (outside) 2 x.x.217.31-x.x.217.250
global (outside) 2 x.x.216.252
global (outside) 2 x.x.216.253
global (outside) 2 x.x.216.254
access-list Web_Outbound permit tcp 10.0.0.0 255.0.0.0 any eq 80
access-list Web_Outbound permit tcp 10.0.0.0 255.0.0.0 any eq 443
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide