[c-nsp] Reverse NAT (and "regular" NAT) at the same time?
Tor
torh at bogus.net
Wed Nov 24 12:06:33 EST 2004
Dear List,
I'm trying to avoid asymmetric routing in an environment where I have two
routes to the Internet. One link has static addresses, the other DHCP.
Both of these routes have Cisco equipment attached (PIX for the static
route, 837 for the DHCP connection).
Behind these boxes there is another firewall which provides VPN. In order to
ensure that VPN traffic (which is forwarded through the PIX) stays on the
PIX link, I am considering using "reverse NAT".
i.e. (see diagram, below), a user points his/hers VPN client to the "eth0
unnumbered" address, the PIX does a reverse NAT and forwards the packets to
192.168.0.3. The source address for these packets effectively changes from
(some random Internet) address to an address in 192.168.0.0/24 (e.g. the
last /27).
Can the PIX do this? Or should I do this on the (Cisco) router infront of
it? (Effectively creating a 2nd DMZ.)
The diagram is as follows:
(internet)
|
| (eth0 unnumbered)
[Cisco 2600]
|.1
x.y.z.0 |
+-------+ (internet)
| |
|.2 |.?
[Cisco PIX] [Cisco 837]
|.2 |.1
| 192.168.0.0/24 |
+------------+--------+
|
|.3
[Another FW]
|
-----+------
172.16.0.0/24
All suggestions appreciated.
Regards,
Tor
More information about the cisco-nsp
mailing list