Hi list,
This is my first post so apologies if my post offends any one in any
way :) I'm currently trying to setup a management connection to a pix
VPN network with the unfortunate situation of overlapping address space.
At present the current setup consists of sites using 3 pix 501s (on
adsl) to connect two sites to a master site.
Pix B ------ www ----- Pix A ----- www ----- Pix C
Pix A = 10.0 /24
Pix B = 10.1 /24
Pix C = 10.2 /24
Pix D = 10.{1,2,3} / 24
This setup as it is works fine with IPSEC Vpns. What I need to be able
to do is to make each these sites unique to a fourth site (my office -
pix D) who already has the 10.X ranges defined and in use. I though the
best way to proceed would be to use static nattings. We already have our
workstations statically mapped behind pix D to provide us with unique
public IP addresses (1.1.1/24). I decided to use the range 10.250.X /24
for mapping the networks of Pix A, B and C. For example 10.0.0.1 on PIX
A becomes 10.250.0.1 and 10.1.0.1 becomes 10.250.1.1 etc. So I
configured a workstation on the fourth site to nat to a public address.
And then route to an address of 10.250.0.0 via an IPSEC VPN to pix A.
Pix A then has a static mapping
"static (inside,outside) 10.25.0.0 10.0.0.1 255.255.255.0" which then
translates 10.250.0.1 to 10.0.0.1. So just to clarify a ping to
10.250.0.1 goes ....
1) 10.2.0.21 --> 10.250.0.1
(pix - inside)
2) 10.2.0.21 changes to 1.1.1.1 --> 10.250.0.1
(Ipsec VPN)
3) 10.250.0.1 --> 10.0.0.1
As far as the device 10.0.0.1 is concerned it gets a ping from 1.1.1.1
and as far as my pc is concerned it gets a reply form 10.250.0.1. This
all works fine. And I can connect to this site quite happily. The only
problem I am having is that the devices behind PIX A are now statically
mapped to the outside interface on 10.250.0.X and I am unable to get any
of them to browse the internet. I've tried all sorts of PAT / Nat config
to get this to work but I don't seem to be able to nat from the outside
interface out to the internet. Is this something that is possible or
have i just gone about this whole scenario in a bizarre and twisted way?
Apologies if my description makes no sense, please be gentle :)
Cheers,
Ben
This message has been scanned for viruses by MailController -
www.MailController.altohiway.com
--------------------------------------------------------------------------
FREE Download - The Future in Desktop Firewalls is Available Now
NEW NetOp Desktop Firewall, the world's first driver-centric
firewall software - protecting your laptops and corporate PCs at
ring-zero! NetOp features sophisticated process & application
control, centralized management and multiple network user profiles -
NetOp is able to increase security when mobile users plug back
into your network. Step into a more secure future - Try it FREE
http://www.securityfocus.com/sponsor/CrossTec_firewalls_050315
--------------------------------------------------------------------------
