[c-nsp] Reverse NAT (and "regular" NAT) at the same time?
Jay Hennigan
jay at west.net
Wed Nov 24 14:20:11 EST 2004
On Wed, 24 Nov 2004, Tor wrote:
> I'm trying to avoid asymmetric routing in an environment where I have two
> routes to the Internet. One link has static addresses, the other DHCP.
>
> Both of these routes have Cisco equipment attached (PIX for the static
> route, 837 for the DHCP connection).
>
> Behind these boxes there is another firewall which provides VPN. In order to
> ensure that VPN traffic (which is forwarded through the PIX) stays on the
> PIX link, I am considering using "reverse NAT".
>
> i.e. (see diagram, below), a user points his/hers VPN client to the "eth0
> unnumbered" address, the PIX does a reverse NAT and forwards the packets to
> 192.168.0.3. The source address for these packets effectively changes from
> (some random Internet) address to an address in 192.168.0.0/24 (e.g. the
> last /27).
>
> Can the PIX do this? Or should I do this on the (Cisco) router infront of
> it? (Effectively creating a 2nd DMZ.)
I don't see why you need to do either. If the other firewall is solely
for VPN, point its default gateway to the PIX on 192.168.0.2. If this
is unworkable, put policy routing on the 837 inside intrface so that traffic
sourced from the VPN tunnel endpoint has a next hop of the PIX.
How are routing decisions made now as to which link is used by hosts on
192.168.0.x ?
> The diagram is as follows:
>
> (internet)
> |
> | (eth0 unnumbered)
> [Cisco 2600]
> |.1
> x.y.z.0 |
> +-------+ (internet)
> | |
> |.2 |.?
> [Cisco PIX] [Cisco 837]
> |.2 |.1
> | 192.168.0.0/24 |
> +------------+--------+
> |
> |.3
> [Another FW]
> |
> -----+------
> 172.16.0.0/24
>
--
Jay Hennigan - CCIE #7880 - Network Administration - jay at west.net
WestNet: Connecting you to the planet. 805 884-6323 WB6RDV
NetLojix Communications, Inc. - http://www.netlojix.com/
More information about the cisco-nsp
mailing list