09-28-2012 01:56 AM
hi all ,
I need to implement site to site vpn tunnel between A and B two Endpoints.
Ultimate Goal - Communicate between Node X and Y
Our Side:
A - resides in DMZ
X - resides in Server Farm ( Access Y Server by Browsing http://192.168.X)
It is requires to do a NAT in Router A and
a) hide source address flowing (Address X --> Can translate it to a Address - P )
b) 192.168.1.X should route using a different address in OUR Side (Address Y --> Can translate it to a Address - Q)
But Router A contains only One Single interface (Gi 0/1). How can I do the NAT according to my situation ? (I cannot terminate the S2S VPN in Our Side Border Router. It should terminate in Router A)
What are the IP's I should use to configure Interesting Traffic ?
Your responses are highly.
Thanks
09-28-2012 08:57 AM
Hello Harsha,
are you doing this on ASA or IOS ? please let me know the device details at either end
regards
Harish.
09-28-2012 10:00 AM
hi Harish,
In our side it's a cisco 7206 GXR and other end check point firewall.
Harsha
09-28-2012 10:06 AM
Hello Harsha,
can you explain how your internal traffic reaches your 7206, i mean what are other devices in between . Also you have mentioned you have only 1 interface on 7206 .. cab you explain bit more on that
regards
Harish.
09-28-2012 10:18 AM
hi Harish,
Once I reach the A Router through my X server I'll find another router and a firewall between them. It's required to build the tunnel between Router A and B while hiding my Internal Network to the peer end.
Since I did have a single Interface Gi 0/1 I defined a Loopback Interface as a outside.
Router A config:
interface gi 0/1
ip nat inside
int lo 1
ip nat outside
ip nat inside source static X P
ip nat outside source static Y Q
But once I send a icmp message from server X to the Y server I cannot see any nat translations on my Rouer A "debug ip nat"
What should I do in order to hide my internal network ?
Harsha
09-28-2012 01:11 PM
Hello Harsha,
i guess you are upto configure nat on a stick but in order this to work, we have to send the traffic to loopback then only NAT would work.
what you can do is to create a policy based routing ( PBR) and set the interface as loopback1 for the intresting traffic and apply that in the router G0/1 interface.
Hope this helps
Harish.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide