Mike Tierney
Guest
|
 Posted: Fri Aug 24, 2007 6:57 am Post subject: NAT - backwards |
 |
|
I've never actually seen this done, but I'm positive it can work - I just
can't figure out the syntax: I need to NAT two outside global addresses to
the address of a firewall on one of the LAN interfaces.
This solution is intended to support two different groups of VPN clients in
a primary/failover configuration. The firewalls serving the VPNs apparently
don't support loopback interfaces, so the VPN clients have to be configured
with the outside IP address of the respective firewalls. I can't just NAT
all the traffic going through to the firewall because it supports other
services. After going over several possibilities, the only solution I can
think of is to allocate two host addresses, call them PrimA and PrimB (PrimA
used by clients using site A as their primary, PrimB used by B site
clients), and NAT both of them at their respective sites to their respective
firewalls' outside IP addresses:
(All IP addresses are public, I.e. non-rfc1918, but I use rfc1918 here as
examples)
AWAN intfc 172.16.1.2/30
ALAN intfc 10.1.1.1/28
AFirewall 10.1.1.2/28
BWAN intfc 172.16.2.2/30
BLAN intfc 10.1.2.1/28
BFirewall 10.1.2.2/28
PrimA 192.168.1.1
PrimB 192.168.2.1
I want to NAT both 192.168.1.1 and 192.168.2.1 to the firewall's outside IP
address:
ASite: 192.168.1.1 and 192.168.2.1 both NAT to 10.1.1.2
BSite: 192.168.1.1 and 192.168.2.1 both NAT to 10.1.2.2
Is this so simple I can't see it? Or is this a potential hornets nest? I'm
having a serious mental block here, I'm sure it's not difficult but I can't
figure it out.
TIA for any assistance!!
m j tierney |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Private messages
Log in
