[c-nsp] Reverse NAT (and "regular" NAT) at the same time?

Tor Houghton torh at bogus.net
Thu Nov 25 06:57:49 EST 2004


On Wed, Nov 24, 2004 at 11:20:11AM -0800, Jay Hennigan wrote:
> 
> I don't see why you need to do either.  If the other firewall is solely
> for VPN, point its default gateway to the PIX on 192.168.0.2.  If this
> is unworkable, put policy routing on the 837 inside intrface so that traffic
> sourced from the VPN tunnel endpoint has a next hop of the PIX.
> 

Jay,

Thinking this over, I decided I should be able to just place the PIX so:


          (internet)
              |
            [GW]
              |
            [PIX]---[837]--(internet)
              |
            [xFW]

If I have a default route on the PIX which points to the 837, new traffic
(connections not in the PIX' state tables) should go out of the 837.

Incoming connections (new VPN setups) will pass through the GW interface of
the PIX, be added to the PIX state table, and return VPN traffic (from xFW)
should then be passed back over the PIX-GW interface. Reverse NAT avoided.

Am I right? Or not?

Cheers,

Tor


More information about the cisco-nsp mailing list