Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
470
Views
0
Helpful
2
Replies

Need to simulate a floating address:similiar to an ISP providing several ad

j.chasser
Level 1
Level 1

‎08-08-2002 04:18 AM - edited ‎03-02-2019 12:32 AM

I am trying to simulate in our lab an IPSec VPN tunnel. I have 3 cisco routers all connected via a frame relay cloud. For test purposes all frame relay addresses are real IP. The goal here is to establish a vpn tunnel between the two gateways, which in this case are firewalls that sit behind the routers.

The rub here is that to setup a vpn tunnel each remote gateway needs to

point to a real IP address. What if the remote gateway (firewall) sits

behind a router doing NAT? The NAT router would need a map statement to

translate a real IP address and map it to a private IP address which is

configured on the untrusted side of the remote gateway (firewall).In other

words the untrusted interface on the firewall is not a routable IP address,

it is private. How do you simulate a floating address which is going to be

advertised out on the network to the real world? Typically, an ISP will give

a client multiple IP addresses which they can use, and are all on the same

subnet. The customer using NAT can just map a real IP address to the unit

(server, firewall etc.) private IP address.

My question is How do I create a floating address for outside users to get

to? The address will be mapped to an internal private IP address which in

this case is a firewall that has a private IP address on its untrusted

interface? I have tried secondary interfaces, null interfaces and loopback

interfaces. Whenever I try to telnet to the firewall (it has the private IP

address mapped to it via the router) the router answers the telnet session. I should be able to telnet directly to the untrusted interface of the firewall (it is configured to answer a telnet) without the router intercepting the telnet session. The map statement inside the router is correct (taken right off of CCO) but loopback address mapped to the private, secondary addresses, none of them seem to work.

I am trying to basically create an IPSec tunnel from two firewalls. One

firewall has a real routable address on its untrusted interface and the

other router has a private IP address on its untrusted interface. The router

that has the privately addressed firewall is running NAT with a real IP

address mapped to the untrusted interface on the firewall. I can't seem to

recreate an address like an ISP would. Help

Labels:
0 Helpful
2 Replies 2

smalkeric
Level 6
Level 6

‎08-19-2002 10:36 AM

Most firewalls can perform NAT so I'm curious why the router outside is performing the NAT instead. Regardless, you'll need another static NAT mapping for the tunnel end-point that maps to the true tunnel end point (your firewall I assume?). This will require an additional IP address from your SP. There's no way around this.

0 Helpful

j.chasser
Level 1
Level 1
In response to smalkeric

‎08-20-2002 05:16 AM

Yes, most FW can do NAT, but often are interjected into the mix after the WAN is up and running. The issue is how do you simulate in the lab a floating IP address from an ISP? ISP's will give you several IP addresses, which will be on the same subnet, and incremental. In testing in the lab with Cisco IOS the router answers instead of the device (in this case a firewall). The mapping statement is correct. In trying to simulate a floating address I used a secondary IP address on the serial interface which is in NAT overload. Any other type of virtual interface is on a different subnet(null, loopback, etc.) and hence won't work.

The firewall sits behind the router performing NAT, but when I telnet to the firewall, the router answers. Any workarounds?

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card