[c-nsp] Should this work on Pix w/7.0(4) ?

Garry gkg at gmx.de
Fri Feb 10 10:09:05 EST 2006


Ok, I got a bit complicated setup ... one of our customers has a 515 FO
w/ 6xFE. Apart from internal, external and FO there are three DMZ
networks. Now, they have a connection to another company via IPSEC,
which as such is working. Due to some overlaps in IP space of the local
DMZ and the remote place's IPs, a transfer network was defined that is
being used by the remote site to gain access to the server in the DMZ.
After the packets emerge from the tunnel on the PIX, they have to be
natted to the DMZ IP. So:

          192.168.44.19 (DMZ)
                ^
                | NAT
                v
          172.17.16.70 (/27 transfer net)
                ^
                | IPSEC VPN
                v
          192.168.110.4

I tried to configure this, but with the tunnel policy protecting the
172.* IPs, it somehow didn't work out. Also, I wasn't sure where to plug
the NAT into - I assume between inside and DMZ, right?

Would this even work?

Tnx, -garry


More information about the cisco-nsp mailing list