Re: Static NAT Issue - Page 3

BCS-Tech · ‎09-03-2024

FPM 1010 using FTD

Is there a way to do a static NAT from one office IP to another office IP through a Site-to-Site VPN tunnel.

We use a cloud provided software that prints to local printers using IP printing.
The cloud provider and our local office have s Site-To-Site VPN. so users can print to a 192.168.126.??? printer
Cloud provider 172.156.XXX.XXX/28
Local office 192.168.126.0/24
VPN Remote 192.168.0.0/24

Our office is Site-to-Site VPN with our Remote office.

Our cloud provider cannot use 192.168.0.XXX to be able to print to one of our printers since that is already being used by another of their customers.

I would like to setup a printer in the cloud location to print to 192.168.126.90 and have that NATTED to 192.168.0.20.
Is this possible?

So far I have not been successful

From the local office, I can ping 192.168.0.20, but cannot ping 192.168.126.90

Help
"Lost in Space"

paul driver · ‎09-05-2024

Hello
Where are these nat domains applied, you are showing in that image, my understanding of your topology is based on your original post as such the nat should be performed on the main site rtr where you have access to both sites via vpn sessions?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎09-05-2024

Hello
can we step back a little - confusion is rising - lol

My understanding is the fw is providing just the transit path (underlay) between all 3 sites and the vpns are the overlay, meaning:

Main site <vpn1> Cloud
192.168.126.0/24 <via vpn1>172.18.x.x

Main site <vpn2> remote office
192.168.126.0/24 <via vpn2>192.168.0.0/24 ( 192.168.0.20 -printer)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

BCS-Tech · ‎09-05-2024

All routing is being done in the FPM1010. This is the only device that has access to all 3 networks.

Local 192.168.126.0/24
Remote 192.168.0.0/24
cloud printer 172.156.xxx.xxx

MHM Cisco World · ‎09-05-2024

Check my notes in your topology

MHM

paul driver · ‎09-05-2024

Hello

@BCS-Tech wrote:

All routing is being done in the FPM1010. This is the only device that has access to all 3 networks.

Local 192.168.126.0/24
Remote 192.168.0.0/24
cloud printer 172.156.xxx.xxx

completely not what confirmed previously , the confusion is in the OP topology "vpn to both locations > pointing to the main office

Anyway, now this has been established, you are CORRECT the nat has to be completed on the fw
You have two options

1)
nat outside<> nat inside ( so the outside global address 172.156.x.x will be seen internally as a outside local address 192.168.126.90

so internally from the remote office if you ping 192.168.129.90 you will reach 172.156.x.x host

2)
nat inside local <>nat inside global ( so 192.168.0.20 will been seen and available externally from any host via 192.168.126.90

Its the latter is what i propose,and to do this, you require two nat domains on the FW;
nat outside <applied towards the cloud network>
nat inside <applied towards the remote network>

ip nat inside source static 192.168.0.20 192.168.126.90
( you may require a static route at the remote office for 172.156.x.x. just to allow the retrun traffic to hit the FW

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎09-12-2024

any update

MHM

BCS-Tech · ‎09-12-2024

Thanks for all the help, but in the long run, I think this approach was going to be a lot more cumbersome than I originally thought it would be. We are going to the trouble of changing the inside network ip to allow a direct vpn connection to the print provider from the remote site.

Again, thanks for all the help