Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
0
Helpful
1
Replies

NAT confusion

The_guroo_2
Level 2
Level 2

‎08-11-2012 09:10 PM

Hi guys we have a customer called BPS and it has two servers 192.168.10.15 and 16.....we have 10.0.0.0/16 netwrok which connects to the two servers over VPN (IPSEC) we have pix firewall......follwoing is the config output

I can see that we have static NAT for these two servers and then we are PATTing to the 10.0.0.1 (all 10.0.0.0/16 address)

my question is how this work............my forewall ip outside is X.56.24.3 (suppose)

how this NAT is working i need the order ie when 192.168.10.15 comes it address will nbe changed on outside interface to 10.1.1.49 or when it treverse through internal it will get changes similarly how NAT is processed when packet goes outsdoe as well

object-group network BPS_NAT_HOSTS

network-object host 10.1.1.49, 10.1.1.50,

object-group network BPS_INT_NAT

  network-object host 192.168.10.15, 192.168.10.16

access-list BPS_nat extended permit tcp 10.0.0.0 255.0.0.0 object-group BPS_NAT_HOSTS 

nat (Internal) 3 access-list BPS_nat

global (External) 3 10.0.0.9

access-list acl-BPScustomer extended permit ip host 10.0.0.1 object-group BPS_INT_NAT log warnings

crypto map clientmap 20 match address acl-BPScustomer

static (External,Internal) 10.1.1.49 192.168.10.15 netmask 255.255.255.255

static (External,Internal) 10.1.1.50 192.168.10.16 netmask 255.255.255.255

Labels:
0 Helpful
1 Reply 1

nkarthikeyan
Level 7
Level 7

‎08-12-2012 01:10 AM

Hi Guroo,

You have the destination servers in 192.168.10.15 & 16 which should be accessed from your LAN which is in 10.0.0.0/16 network.

In your LAN you are NATing the 192.168.10.15 & 16 to 10.1.1.49 & 50 respectively when it sends the traffic to cust network (192.168.x.x.).

So your crypto acl will be from 10.0.0.0 to 192.168.10.x network. In turn only for those servers it will get nated internally to 10.1.1.49 & 50 to access that servers.

access-list acl-BPScustomer extended permit ip host 10.0.0.1 object-group BPS_INT_NAT log warnings

crypto map clientmap 20 match address acl-BPScustomer

The above of your configurations will grant access to 192.168.10.15 & 16 from 10.0.0.1 through getting nated to 10.1.1.49 & 50.

Similarly in the other end they will have the crypto ACL like the below permitting from 192.168.10.15 & 16 to 10.1.1.49&50.

Even if you don NAT also it should work if both the ends crypto acl matches with it.

This is basically used for hiding the real ip's of the host that is accessing...

Please do rate if the given information helps.

By

Karthik

0 Helpful
Customers Also Viewed These Support Documents