08-11-2012 09:10 PM
Hi guys we have a customer called BPS and it has two servers 192.168.10.15 and 16.....we have 10.0.0.0/16 netwrok which connects to the two servers over VPN (IPSEC) we have pix firewall......follwoing is the config output
I can see that we have static NAT for these two servers and then we are PATTing to the 10.0.0.1 (all 10.0.0.0/16 address)
my question is how this work............my forewall ip outside is X.56.24.3 (suppose)
how this NAT is working i need the order ie when 192.168.10.15 comes it address will nbe changed on outside interface to 10.1.1.49 or when it treverse through internal it will get changes similarly how NAT is processed when packet goes outsdoe as well
object-group network BPS_NAT_HOSTS
network-object host 10.1.1.49, 10.1.1.50,
object-group network BPS_INT_NAT
network-object host 192.168.10.15, 192.168.10.16
access-list BPS_nat extended permit tcp 10.0.0.0 255.0.0.0 object-group BPS_NAT_HOSTS
nat (Internal) 3 access-list BPS_nat
global (External) 3 10.0.0.9
access-list acl-BPScustomer extended permit ip host 10.0.0.1 object-group BPS_INT_NAT log warnings
crypto map clientmap 20 match address acl-BPScustomer
static (External,Internal) 10.1.1.49 192.168.10.15 netmask 255.255.255.255
static (External,Internal) 10.1.1.50 192.168.10.16 netmask 255.255.255.255
08-12-2012 01:10 AM
Hi Guroo,
You have the destination servers in 192.168.10.15 & 16 which should be accessed from your LAN which is in 10.0.0.0/16 network.
In your LAN you are NATing the 192.168.10.15 & 16 to 10.1.1.49 & 50 respectively when it sends the traffic to cust network (192.168.x.x.).
So your crypto acl will be from 10.0.0.0 to 192.168.10.x network. In turn only for those servers it will get nated internally to 10.1.1.49 & 50 to access that servers.
access-list acl-BPScustomer extended permit ip host 10.0.0.1 object-group BPS_INT_NAT log warnings
crypto map clientmap 20 match address acl-BPScustomer
The above of your configurations will grant access to 192.168.10.15 & 16 from 10.0.0.1 through getting nated to 10.1.1.49 & 50.
Similarly in the other end they will have the crypto ACL like the below permitting from 192.168.10.15 & 16 to 10.1.1.49&50.
Even if you don NAT also it should work if both the ends crypto acl matches with it.
This is basically used for hiding the real ip's of the host that is accessing...
Please do rate if the given information helps.
By
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide