LAN to LAN PAT/NAT 3020 hub

I have a client who wants to create a tunnel L2L, but said that they will only allow us to use up to three IP addresses. I never had no other customers ask me to do it this way and I'm a little confused as how I should make it work. I'm guessing that a form any NAT/Pat should solve the problem for me. Could someone please point me in the right direction.

Thank you!

Yes, you can use this approach to NAT. Maybe they're "too cautious" with their security.

Concerning

Farrukh

Tags: Cisco Security

Similar Questions

Require the NDIS2 drivers for HP LAN and USB travel hub

Hello

I have some ultrabooks with no LAN on board, which I am trying to use an image Ghost (the network).

I use a HP LAN and USB hub, but to get the ghost to work, I need drivers BACK (NDIS2) to get this working. Any ideas where I could get these in. I had a good glance but had no joy so far. All of my generic drivers seem to fail too!

Thanks in advance!

Hello, I'm not familiar with the "HP LAN and USB travel hub", but I used a good amount of Ghost!

I think that it can be difficult to get this ethernet device works in DOS mode. One of the problems is that DOS itself does not have support for the USB, so you would first get drivers in real mode USB installed and then find/layer drivers for HP LAN and USB travel in addition to this hub.

This looks like a difficult task. Must the ghost image be stored/retrieved over the network? It may be easier to use Ghost with a local storage device, for example a USB optical drive or an external/USB drive (if that's an option)...

Another option would be to use a different disc Imaging program (the one who works within Windows, or something like a Windows PE boot disk uses instead of BACK).

I hope this helps!

Dave

DMZ at lan w / NAT - config?

customer premises requires access to our network.

requirements:

provide internet access

restrict access to different servers

nat addresses

y at - it a config there that helps with dmz lan access?

Thanks for any help.

Hello Tsrader,

Your config looks pretty good for the most part. Here are some changes I would make:

access-list inside_access_in allow a tcp

Allow Access-list inside_access_in a whole udp

access-list inside_access_in allow icmp a whole

inside_access_in ip access list allow a whole

TCP/UDP/ICMP are all encompassed in the statement of intellectual property, so that they are not really necessary. However, you do not have acutally apply this list of access inside the interface, so by default, all traffic from the inside would be allowed to the gtadmz. If you want to block the traffic inside the gtadmz, you could do this:

inside_access_in access-list deny ip any object-group customer_nets

inside_access_in ip access list allow a whole

This will only allow connections from the gtadmz to the packets to the internal and back.

On the NAT/Global statements, those are correct. A request from the gtadmz seems to come from the IP address of the inside interface of the firewall to the servers inside. If this is what you want, then it should work perfectly.

Finally, the question concerning the application of the access to the interface list. What you put is correct.

I hope this helps.

Gavin - Budd

Is it possible to put behind a NAT DMVPN hub? (Speaks has a public IP address)

I he tried for a few days and couldn't make it work. The schema and configuration is in the attachment.

Crypto isakmp profile: QM slowed down on both sides.

Profile of crypto ipsec: NO ipsec profile established on both sides.

Show ip PNDH (side hub): nothing is saved at all. Empty.

Any ideas?

Thank you!

Difan

As long as the HUB has a static nat translation it should work, try to set your transformation mode of Transport rather than tunnel on two spokes and hub, close your tunnel on the hub and the spokes and then turn it back on, does make a difference?

Static NAT & DMVPN Hub

Hello

I don't think that will be a problem DMVPN supports the rays behind NAT devices, but I anticipate change my network for reasons of security and redudancy autour and putting a pair of ASA firewalls on my Internet collocation. Right now I have a DMVPN race 3845, NAT & ZBFW. I'm going to remove the ZBFW and move the NAT to the ASA, leaving only the DMVPN hub and routing. If I create a static NAT mapping on my ASA to point to the DMVPN hub that will work?

I think it will be, but I just wanted to be 110% sure.

Thank you!

Hi Brantley,

DMVPN with static NAT on the hub is supported in the installer. Just be awear it there are limits.

1, all DMVPN router, hub and spokes must be running at least 12.3(9a) and 12.3 (11) T code.

2, must use ipsec transport mode.

3, so need dynamic tunnel talk to rays, hub should work at least 12.3 (13), 12.3 (14) T and 12.3 (11) T3 code.

See the configuration guide

http://www.Cisco.com/en/us/docs/iOS/sec_secure_connectivity/configuration/guide/sec_DMVPN_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1122466

HTH,

Lei Tian

PAT NAT problems,

Hello

My client has a PIX 520. Here is the config.

Global (outside) 20 214.39.43.41 - 214.39.43.101

Global (Dmz) 10 11.254.254.31

Global (clients) 20 11.151.4.51 - 11.151.4.101

NAT (inside) 20 161.2.2.177 255.255.255.255 0 0

NAT (inside) 20 161.2.2.180 255.255.255.255 0 0

NAT (inside) 10 0.0.0.0 0.0.0.0 0 0

NAT (Dmz) 20 0.0.0.0 0.0.0.0 0 0

The 161.2.2.177 device (server) is inside the interface. The config above, that this device will be NAT/PAT would have for outgoing interfaces i.e.

(Inside) 161.2.2.177, NAT'd (214.39.43.41 - outdoor 214.39.43.101)

(Inside) 161.2.2.177, NAT'd 11.151.4.51 - 11.151.4.101 (customers)

(Inside) 161.2.2.177, PAT'd (DMZ) 11.254.254.31

The Xlate table, 161.2.2.177 is THAT NAT would have for outdoor & customer interfaces, but PAT translation does not work!

PAT test I used a PC inside the DMZ ping and the PC are PAT had to 11.254.254.31.

Statically mapping 161.2.2.177 to an address on the DMZ also works. But PAT for this device does not work!

Until PAT previously for this unit on the demilitarized zone have worked, no configuration change has attempted all the PIX.

Has anyone encountered this problem before?

Thanks for your help

The 161.2.2.177 address is excluded because you have this:

> nat (inside) 20 161.2.2.177 255.255.255.255 0 0

Any package that inside the host will always use this nat statement since it is the most specific, there a nat 20 id, so you need a command of "global (dmz)" corresponding with the id - nat 20 also.

PAT/NAT and VPN through a PIX

"PPTP through the PIX with Port address translation (PAT) does not work because there is no concept of ports in GRE"-this is an excerpt from a config PIX version 6.2 and below.

1. how this problem has been fixed in 6.3? GRE is encapsulated in udp or tcp to use ports to follow the connection?

2. is it "fixup protocol esp-ike" use the same technology - the source port created by the IKE protocol? -ISAKMP cannot be enabled when you use this command

3. What is "isakmp nat-traversal? How is this different from fixup protocol esp-ike"

Thank you

RJ

1. when the PIX sees outgoing PPTP (TCP 1723 port) packets it now opens holes for them to return, as well as opening a hole for the GRE packets, it has never done this before. The PPTP TCP packets can be PAT would be fine because they are TCP packets. GRE packets, I believe, are followed by the id field only tunnel in the package.

2. we use the source port of the ISAKMP packet for ESP packets as well. The current limitation is that if you have this option, you cannot use the PIX to close the IPSec sessions, so you can not turn on ISAKMP any interface. You can also have only a single IPSec client internal to use this feature.

3 NAT - T is a new standard for IPSec to work through a NAT device peers, because they detect changes of address during the negotiation of tunnel and automatically encapsulate packets in UDP 4500. This market allows the PIX and the other device (if it supports it) to automatically detect a NAT/PAT device between them. This differs from the "esp - ike correction '' that the PIX ends not in fact the IPSec tunnel with esp - ike, but it is the endpoint in nat - t.

Unable to save the good value error - 3020 hub

We have a production 3020 VPN concentrator, who has started having a problem a couple of days. When we make a change, we receive a popup box saying could not save a bad value error. We restarted the concentrator once and found that it did not have to register once. Now, back to the error. Because it is a production supporting many tunnels, restarting is very disruptive, and we lose all our changes. Any ideas on what causes this error and how to fix it?

Excellent! good to hear, remember messages useful rate.

By PAT and NAT VPN

We have a place where you want to set up a tunnel VPN to our headquarters.

In this place, there is a router that PAT (NAT overloading), and then a few jumps more, there is a firewall that makes the NAT.

Is this could pose a problem for the VPN tunnel?

Here's a "pattern" of what looks like the connection.

Customer--> PAT - router-->--> Internet--> CVPN3005 NAT firewall

I hope you can provide me with an answer.

VPN tunnel will not work in your scenario. NAT second change address and the ports you want to use for the vpn tunnel. So the port 500 wil be translated to top port and will be rejected at HQ.

ICMP and NAT/PAT

How does PAT/NAT behave on ICMP packets if there is no ports such as udp/tcp?

Best regards

Francesco

Take a look at these documents

http://Tools.ietf.org/WG/behave/draft-ietf-behave-NAT-ICMP/draft-ietf-behave-NAT-ICMP-01-from-00.wdiff.html

http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093f96.shtml

Both will help you understand

HTH

Hoogen

Do rates if it help :)

PIX 501 NAT and PAT with a single IP address

Using the following configuration, on my first PIX 501, I am unable to provide a server of mail to the outside world and allows inside customers to browse the Internet. :

6.3 (5) PIX version

interface ethernet0 car

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

enable password xxxx

passwd xxx

hostname fw-sam-01

SAM domain name

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

No fixup not protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

outside access list permit tcp any host 62.x.x.109 eq smtp

access the inside to allow tcp a whole list

pager lines 24

Outside 1500 MTU

Within 1500 MTU

IP address outside the 62.177.x.x.x.255.248

IP address inside 192.168.45.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

location of PDM 192.168.45.2 255.255.255.255 inside

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

public static 62.177.x.x.x.45.2 (Interior, exterior) mask subnet 255.255.255.255 0 0

outside access-group in external interface

group-access to the Interior in the interface inside

Route outside 0.0.0.0 0.x.x.x.177.208.105 1

Timeout xlate 0:05:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + 3 max-failed-attempts

AAA-server GANYMEDE + deadtime 10

RADIUS Protocol RADIUS AAA server

AAA-server RADIUS 3 max-failed-attempts

AAA-RADIUS deadtime 10 Server

AAA-server local LOCAL Protocol

Enable http server

http 192.168.45.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Telnet 192.168.45.0 255.255.255.0 inside

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

: end

It is I'am using access list and groups wrong or am I wrong in PAT/NAT configuration.

Please advise...

Hello

I went through the ongoing discussion. The pix configuration should be fine for now according to suggestions. The problems seems to be on the server. If it is a new installation of windows, then there is an option not to accept requests that are not local network.

If you want to check if pix allows connections and then when you telnet to port 25 of the outside, just run the xlates control.

SH xlate and it should show you a translation for the inside host. More than a quick test if pix allows traffic is to check 'sho-outdoor access list' and see if the counters are increasing.

Hopefully this should help you.

Arun S.

Cisco 2911 and ASA 5512 remove double NAT

Greetings,

I have 2 subnets on Cisco 2911 router

192.168.3.0/24 and 192.168.1.0/24

3rd network 192.168.4.0/24 is natting internal interface to the modem for internet access. creating 2 NAT (NAT in router) and NAT in Modem

I just bought Cisco ASA 5512, no chance I could remove the Cisco 2911 router NAT and set the default gateway for Cisco ASA?

Yes you are right...

You must ensure that you get the routed LAN traffioc to hit inside the interface ASA in ASA, you can do PAT/NAT to access...

Concerning

Knockaert

DMVPN and INTERNET VIA HUB RENTAL ISSUES

Hello everyone,

I really wish you can help me with the problem I have.

I explain. I test a double Hub - double DMVPN Layout for a client before we set it up in actual production.
The client has sites where routers are behind some ISP routers who do NAT.

How things are configured:

-All rays traffic must go through the location of the hub if no local internet traffic on the rays.
-Hub 1 and 2 hub sends a default route to rays through EIGRP. But only Hub 1 is used.
-Hub 1 is the main router to DMVPN. In case of connection / hardware failure of the Internet Hub 2 become active for DMVPN and Internet.
-Hub 1 and 2 hub are both connected to an ISP and Internet gateway for rays.
-Hub 1 and 2 hub are configured with IOS Firewall.
-On the shelves I used VRF for separate DMVPN routning Global routning table so I could receive a default route of 1 Hub and Hub 2 to carry the traffic of rays to the Internet via the location of the hub

What works:

-All rays can have access to the local network to the location of the hub.
-All the rays can do talk of talk
-Working for DMVPN failover
-Rais NOT behind the router NAT ISP (i.e. the public IP address) directly related to their external interface can go Internet via hub location and all packages are inspected properly by the IOS and Nat firewall properly

What does not work:

-Rays behind the NAT ISP router can not access Internet via Hub location. They can reach a local network to the location of the hub and talk of talks.
IOS Firewall Router hub shows packages from rays of theses (behind a NAT) with a source IP address that is the router og PSI of public IP address outside the interface. Not the private address LAN IP back spoke.
In addition, the packets are never natted. If I do some captge on an Internet Server, the private source IP is the IP LAN to the LAN behind the rays. This means that the hub, router nat never these packages.

How to solve this problem?

/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Tabel - Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

Well I don't know that's why I need your help/advice :-)

I don't know that if I have to configure a VRF on the location of the hub gets also like things might mess upward.

The problem seems to be NAT - T the rays that are not behind a NAT, among which go over the Internet through a Hub and inspection of Cisco IOS and NAT are trying to find.

I tested today with the customer at the start them talking behind nat could ping different server on the Internet but not open an HTTP session. DNS was to find work. The IOS Firewall has been actually

inspection of packages with private real IP address. Then I thought it was a MTU issue, so I decided to do a ping on the Internet with the largest MTU size and suddenly the pings were no more.

I could see on the router Hub1 IOS Firewall was inspecting the public IP of the ISP NAT router again alongside with rays and not more than the actual IP address private. Really strange!

Attached files:

I attach the following files: a drawing of configuration called drawing-Lab - Setup.jpeg | All files for HUB1, BRANCH1 and BRANCH2 ISP-ROUTER configs, named respectively: HUB1.txt, BRANCH1.txt, BRANCH2.txt and ISP - ROUTER .txt

Hub1 newspapers when ping host 200.200.200.200 on the Internet of Branch2 (behind the NAT ISP router):

Branch2 #ping vrf DMVPN-VRF 200.200.200.200 source vlan 100

Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 200.200.200.200, time-out is 2 seconds:
Packet sent with a source address of 192.168.110.1
.....
Success rate is 0% (0/5)

* 06:04:51.017 Jul 15 UTC: % FW-6-SESS_AUDIT_TRAIL_START: start session icmp: initiator (110.10.10.2:8) - answering machine (200.200.200.200:0)

If the IOS Firewall does not inspect the true private source IP address that can be, in this case: 192.168.110.2. He sess on the public IP address.

HUB1 #sh ip nat translations
Inside global internal local outside global local outdoor Pro
ICMP 80.10.10.2:1 80.10.10.2:1 100.10.10.2:1 100.10.10.2:1
ICMP 80.10.10.2:2 80.10.10.2:2 110.10.10.2:2 110.10.10.2:2
UDP 80.10.10.2:4500 80.10.10.2:4500 110.10.10.2:4500 110.10.10.2:4500

There is no entry for packets of teas present NAT

Captge on Tunnel 1 on Hub1 interface (incoming packets in):

7 7.355997 192.168.110.1 200.200.200.200 request ICMP (ping) echo
So that the firewall controllable IOS to the 110.10.10.2:8 public IP sniffing capture said that the package come from private real IP address

Inhalation of vapours on the server (200.200.200.200) with wireshark:

114 14.123552 192.168.110.1 200.200.200.200 request ICMP (ping) echo

If the private IP address of source between local network of BRANCH2 is never natted by HUB1

If the server sees the address source IP private not natted although firewall IOS Hub1 inspect the public IP address 110.10.10.2:8

Hub1 newspapers when ping host 200.200.200.200 on the Internet of Branch1 (not behind the NAT ISP router):

Branch1 #ping vrf DMVPN-VRF 200.200.200.200 source vlan 100

Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 200.200.200.200, time-out is 2 seconds:
Packet sent with a source 192.168.100.1 address
!!!!!

* 06:05:18.217 Jul 15 UTC: % FW-6-SESS_AUDIT_TRAIL_START: start session icmp: initiator (192.168.100.1:8) - answering machine (200.200.200.200:0)

This is so the firewall sees the actual private IP which is 192.168.100.1

HUB1 #sh ip nat translations
Inside global internal local outside global local outdoor Pro
ICMP 80.10.10.2:1 80.10.10.2:1 100.10.10.2:1 100.10.10.2:1
ICMP 80.10.10.2:2 80.10.10.2:2 110.10.10.2:2 110.10.10.2:2
UDP 80.10.10.2:4500 80.10.10.2:4500 110.10.10.2:4500 110.10.10.2:4500
ICMP 80.10.10.2:22 192.168.100.1:22 200.200.200.200:22 200.200.200.200:22

The real private source IP address is also find natted 1 Hub outside the public IP address

Captge on Tunnel 1 on Hub1 interface (incoming packets in):

8 7.379997 192.168.100.1 200.200.200.200 request ICMP (ping) echo

Real same as inspected by IOS Firewall so all private IP address is y find.

Inhalation of vapours on the server (200.200.200.200) with wireshark:

/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Tabel - Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

67 10.441153 80.10.10.2 200.200.200.200 request ICMP (ping) echo

So, here's all right. The address is natted correctly.

__________________________________________________________________________________________

Best regards

Laurent

Hello

Just saw your message, I hope this isn't too late.

I don't know what your exact problem, but I think we can work through it to understand it.

One thing I noticed was that your NAT ACL is too general. You need to make it more

specific. In particular, you want to make sure that it does not match the coming of VPN traffic

in to / out of the router.

For example you should not really have one of these entries in your NAT translation table.

HUB1 #sh ip nat translations
Inside global internal local outside global local outdoor Pro
ICMP 80.10.10.2:1 80.10.10.2:1 100.10.10.2:1 100.10.10.2:1
ICMP 80.10.10.2:2 80.10.10.2:2 110.10.10.2:2 110.10.10.2:2
UDP 80.10.10.2:4500 80.10.10.2:4500 110.10.10.2:4500 110.10.10.2:4500

Instead use:

Nat extended IP access list
deny ip any 192.168.0.0 0.0.255.255 connect
allow an ip
deny ip any any newspaper

If you can use:

Nat extended IP access list
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 connect
IP 192.168.0.0 allow 0.0.255.255 everything
deny ip any any newspaper

Also, I would be very careful with the help of the "log" keyword in an ACL, NAT.

I saw problems.

What are the IOS versions do you use?

Try to make changes to the NAT so that you no longer see the entries of translation NAT

for packages of NAT - T (UDP 4500) in the table of translation NAT on the hub. It may be

This puts a flag on the package structure, that IOS Firewall and NAT is

pick up on and then do the wrong thing in this case.

If this does not work then let me know.

Maybe it's something for which you will need to open a TAC case so that we can

This debug directly on your installation.

Mike.

VPN site to Site - NAT network internal

Hi all

I have a site to site VPN setup (both sites have Cisco ASA) where my internal network is 192.168.1.0/24 and internal, the other site of the network happens to have the exact same internal network. Is it possible that I can NAT my internal address to 172.18.1.0/24 and I get the job? It should then allow both sites to communicate successfully. Thank you.

Hello

You'll have to NAT to both ends of the VPN L2L connection. This is because even if you the other end to another network NAT it will mean that this site would have to connect to a destination address that is apparently in its own network and connections would fail.

The format of configuration depends on your level of ASAs software

8.2 software (and below)

Comment by L2LVPN-POLICYNAT-access list policy NAT for VPN L2L

permit access-list L2LVPN-POLICYNAT

static (inside, outside) access-list L2LVPN-POLICYNAT

Software 8.3 (and above)

the object of the LAN network

subnet

network of the LAN - NAT object

subnet

network of the REMOTE object

subnet

NAT static LAN LAN destination - NAT source (indoor, outdoor) static REMOTE

Note to use the correct networks in the statements above. The destination in the configuration network is naturally the NAT network uses the other site.

In the same say, you can you make sure your L2L Crypto ACL VPN connections using the local NAT network as the source and the remote NAT network as the destination.

Hope this helps

-Jouni

ASA Configuration of VPN Site to Site - NAT issues

Greetings,

I am responsible to configure a VPN connection from site to site to a business partner in which I want to firstly NAT to my internal IP to a public IP address and then send it through the tunnel, and vice versa when they try to access my servers I want to get to them through the external IP address. Here's what I think I do, but I was wondering what were the thoughts of the community.

All of the IP addresses represented below are fictitious.

Internal servers Public IP address

10.50.220.150 208.180.170.182

10.50.220.151 208.180.170.183

10.50.220.152 208.180.170.184

Local peer IP: 208.180.254.29

Distance from peer IP: 207.190.218.31

Local network: 208.180.170.0/24

Remote network: 207.190.239.0/24

From my understanding, NAT occur before being sent to a tunnel, or to the internet, etc, so the configuration that I think I need is the following:

NAT (inside) 0 access-list sheep

NAT (inside) 2 10.50.220.150

NAT (inside) 3 10.50.220.151

NAT (inside) 4 10.50.220.152

Global 2 208.180.170.182 (outside)

overall 3 208.180.170.183 (outside)

Global 4 208.180.170.184 (outside)

IP 208.180.170.0 allow Access-list extended sheep 255.255.255.0 207.190.239.0 255.255.255.0 (do I still need this since coordinated to a public IP address still?)

access-list s2s client scope ip 208.180.170.0 allow 255.255.255.0 207.190.239.0 255.255.255.0

Route outside 207.190.239.0 255.255.255.0 207.190.218.31

card crypto off peers set 1 207.190.218.31

Crypto card outside 1 correspondence address s2s-customer

[... rest of the configuration failed..]

That look / her right? If this isn't the case, please advise.

Thank you.

Yes.

PAT (nat/global) will take care of outgoing and static traffic will take care of incoming traffic.

You can create political NAT as well to handle this traffic.

Federico.

LAN to LAN PAT/NAT 3020 hub

Similar Questions

Maybe you are looking for