PIX 515e - Double NATting?

Hello,

In a nutshell, I ran into the following problem: I would like to designate specific INSIDE PCs to come out with DMZ IPs

Here's the setup:

------------------ INSIDE: 192.168.1.n DMZ: 10.162.10.n OUTSIDE: 216.210.192.n

INSIDE can access OUTSIDE DMZ can access a designated site via a VPN tunnel (DS_VPNT). INSIDE can access DMZ OUTSIDE cannot access DMZ but only one INSIDE server.

Question:

How can I set my PC to also access the DS_VPNT? In other words what can I add to the my PIX 515e (6.3) firewall in order to reach the DMZ NIC with a DMZ range IP? (My PC=192.168.1.21 which I want it to come out as 10.162.10.78) The DS_VPNT accepts only DMZ IPs.

Thank you much, CDee

Reply to
CD
Loading thread data ...

nat (inside) 2 192.168.1.21 255.255.255.255 global (dmz) 2 10.162.10.78

Have fun.

Reply to
Lutz Donnerhacke

Thank you so much for the reply, Lutz.

I am currently trying out your suggestion. Meantime, I noticed that my access to the Internet has been stopped, though. Is there any way to preserve it? That's the tough part.

Thanks again,

-C

Lutz D>

Reply to
CD

You have to merge this commands into your existing ones. Otherwise you loose your current configuration.

Reply to
Lutz Donnerhacke

Does the VPN tunnel hang off of the DMZ interface or off of the outside interface?

The other poster suggested a regular nat with a global (dmz) . At the very least, the interface would have to be (outside) if the VPN tunnel is hanging off of the outside interface instead of the DMZ.

If the other end of the tunnel only allowed IPs in the DMZ IP range then you very likely have a nat (dmz) 0 access-list command. If you do, then that will override the nat/global pair when the responses come back -- the 10.162.10.78 IP would go untranslated and be directed towards the DMZ rather than to the inside host 192.168.1.21. nat 0 access-list overrides nat/global pairs. So you'd have to put a 'deny' into that access-list to allow translation of 10.162.10.78 .

I was thinking you might have to change the definition of your VPN tunnel, but thinking again, I don't think you will need to do that.

Reply to
Walter Roberson

Thanks Lutz. I did that (added the commands you gave me) but I am still having problems accessing the web.

Should I check a particular area?

Regards,

-C> * CD wrote:

Reply to
CD

Post your current config (shorten it!) and describe your allowed data flows.

Reply to
Lutz Donnerhacke

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.