Static NAT Issue - Page 2

BCS-Tech · ‎09-03-2024

FPM 1010 using FTD

Is there a way to do a static NAT from one office IP to another office IP through a Site-to-Site VPN tunnel.

We use a cloud provided software that prints to local printers using IP printing.
The cloud provider and our local office have s Site-To-Site VPN. so users can print to a 192.168.126.??? printer
Cloud provider 172.156.XXX.XXX/28
Local office 192.168.126.0/24
VPN Remote 192.168.0.0/24

Our office is Site-to-Site VPN with our Remote office.

Our cloud provider cannot use 192.168.0.XXX to be able to print to one of our printers since that is already being used by another of their customers.

I would like to setup a printer in the cloud location to print to 192.168.126.90 and have that NATTED to 192.168.0.20.
Is this possible?

So far I have not been successful

From the local office, I can ping 192.168.0.20, but cannot ping 192.168.126.90

Help
"Lost in Space"

paul driver · ‎09-03-2024

Hello
So just to clarify, your printer resides locally 192.168.126.90 and you would like to nat this so the ISP can see it as a 192.168.0.x host correct?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

BCS-Tech · ‎09-03-2024

The printer i want to print to (192.168.0.20) is not on the local network of 192.168.126.0. It is on the remote VPN network of 192.168.0.0. I want the cloud providers print server to see it as 192.168.126.90.

BCS-Tech · ‎09-03-2024

Does this help?

MHM Cisco World · ‎09-04-2024

paul driver · ‎09-04-2024

Hello
By the looks of it, The remote office has local connection to that printer , so for the main office to be able to reach it via a nat translation whatever address is used for that translation needs to be routable towards the remote office, however what you cannot do is use another sites ip range that they own for that translation.

remote office = 192.168.0.0
remote printer -= 192.168.0.20
Main office = 192.168.126.0

So if the main office cannot use 192.168.0.20 to reach the remote office printer, it requires "another" address to be able to reach it, and to accomplish that, a static NAT will need to be done at the remote office for printer 192.168.0.20.

As stated you can use "any" address , it doesn't need to reside on any interface at the remote office rtr it just needs to be reachable to the remote office from external hosts and obviously free to use.

So what you could do is:

obtain a free ip address that could be assigned to the remote office and the printer and use that to nat,
create a static host route at the main office pointing towards the remote office for this new ip
create a static nat statement on the remote office rtr for the printer<>new ip

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

BCS-Tech · ‎09-04-2024

A direct connection to the 192.168.0.20 printer is already working through the vpn tunnel "main --> remote office".

What I am trying to setup is an IP printer connection for the "cloud print server" (172.18.xx) to be able to print to 192.168.0.20. Since 192.168.0.20 is not on the same network as the FPM 1010 local network 192.168.126.0, then some type of natting/routing needs to be done in the firewall. But you are saying the natting needs to be done at the remote office (192.168.0.0). This does not make sense to me. 172.18.x.x cannot reach 192.168.0.0 without internal routing being done in the FPM 1010.

Am I correct?

MHM Cisco World · ‎09-04-2024

Network (1).JPG

MHM Cisco World · ‎09-04-2024

Note:- The ACL I mention is add to VPN between main and remote office.

MHM

Giuseppe Larosa · ‎09-04-2024

Hello @BCS-Tech ,

as an alternative approach you can add an IPSec fase 2 between cloud 172.18.x.x and the remote office 192.168.0.0/24 on the VPN between HQ and cloud. And you can add network 172.18.x to 192.168.0.0/24 in the VPN between HQ and remote office in this way you would not need any NAT.

And as noted by @MHM Cisco World you cannot test the static NAT from the HQ subnet.

Hope to help

Giuseppe

paul driver · ‎09-04-2024

Hello

@BCS-Tech wrote:

What I am trying to setup is an IP printer connection for the "cloud print server" (172.18.xx) to be able to print to 192.168.0.20

Let me try to explain this another way -
You have a printer 192.168.0.20 and externally you would like this to be connected to via "another" external ip address from the cloud provider network - correct? - now if I have this wrong then apology's in advanced , if im correct then....

As I see it you need to nat on that 192.168.0.20 to "another ip" that is reachable externally over the vpn path, now if the remote office printer is not reachable directly but is reachable via the main office then you could nat from the main office using a reachable address that the cloud provider network can access.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

BCS-Tech · ‎09-04-2024

Paul, you are correct.

192.168.0.20 is not reachable from 172.18.XXX. But even if it was, a 192.168.0.X IP address cannot be used since this block of IP addresses (192.168.0.0/24 is already being used by the "cloud print server" by another customer of theirs.

But any IP address in the 192.168.126.0/24 network is accessible and useable by the 'cloud print server". So that is why I "think" I need a NAT in the FPM1010 firewall to go from say 192.168.126.90->192.168.0.20. That way, the "cloud print server" can send a print job to 192.168.126.90, the firewall reroute it to 192.168.0.20 through the local VPN. This is the part I can't get my head around. I think I need a NAT and a route. But the route requires gateway. What would be the gateway in this instance? The normal outbound gateway of the FPM since the route to 192.168.0.0/24 is on the outside interface anyway?

paul driver · ‎09-04-2024

Hello

@BCS-Tech wrote:
any IP address in the 192.168.126.0/24 network is accessible and useable by the 'cloud print server". So that is why I "think" I need a NAT in the FPM1010 firewall to go from say 192.168.126.90->192.168.0.20. That way, the "cloud print server" can send a print job to 192.168.126.90, the firewall reroute it to 192.168.0.20 through the local VPN. This is the part I can't get my head around. I think I need a NAT and a route. But the route requires gateway.

You would be able to nat from the Fw IF it had a connection to the remote office that the cloud site could use , however based on you OP the only place that has connection to both sites is the main office ( "vpn to both locations")

So look at it from the main office perspective,
Cloud = vpn 1,
Remote office vpn 2

EDITED
main office rtr
int tun12
description vpn1 -cloud
ip nat outside

nt tun13
description vpn2-remote office
ip nat inside

ip route 192.168.0.0 255.255.255.0 tun13 <remote office tun13 ip>
ip nat inside source static 192.168.0.20 192.168.126.90

remote office
ip route 192.168.126.0 255.255.255.0 tun13 <main office vpn ip>

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

BCS-Tech · ‎09-05-2024

Now I am confused. I have done a lot of static nats before for mail servers, web sites, but these have all been inside to Outside.
But the above seems to be backwards to me since the local network is 192.168.126.0/24 he FW is 192.168.126.254

And a static NAT has up to 10 options for information, can you be more specific?

Original Packet
Source Interface
Source Address
Source Port (ANY)
Destination Address
Destination Port (ANY)

Translated Packet
Source Interface
Source Address
Source Port (ANY)
Destination Address
Destination Port (ANY)

Thanks for the help

paul driver · ‎09-05-2024

Hello

@BCS-Tech wrote:

Now I am confused. I have done a lot of static nats before for mail servers, web sites, but these have all been inside to Outside.
But the above seems to be backwards to me since the local network is 192.168.126.0/24 he FW is 192.168.126.254

TBH - ive edited this again after you last post asmy initial cfg was correct the static nat should be....If my understanding of your topology is correct

ip nat inside source static 192.168.0.20 192.168.126.90

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

BCS-Tech · ‎09-05-2024

Here is my current configuration

Route in FW for 192.168.0.0/24 -> Outside ip address of remote office VPN

At the remote office
route 192.168.126.0/24 -> Outside ip address of Main office VPN. The FW)

Here is a image of my NAT

Would like to test, but correct me if I am wrong, I don't think I can ping 192.168.126.90 from a computer at either of the two locations since 192.168.126.90 dos not really exist internally. But if someone at the cloud printer location pinged 192.168.126.90, the FW will reroute the incoming connection to 192.168.0.20 and the ping should work?

I hope!!!