Greetings.
I'm new to Cisco NAT and have found the documentation quite confusing. I'm firing up a VPN tunnell (client-to-site) using Checkpoint's SecureRemote and NG. The the site side, the NG box (VPN-1 and Firewall) are sitting behind 2 3620's running 12.2 that each have a pipe to our ISP. The two routers are HSRP-ing w/each other for failover/balancing. The internal eithernet interfaces of the routers are bound to a single virtual IP address (private..192.168.10.5). The external interface of the firewall is 192.168.10.6 (note to all...these IP addresses are FAKE to protect the innocent). Our users are hidden behind a NAT hide provide by the checkpoint box. We do not have any direct x-lates, save for a mail server. DMZ machines have "real" addresses.
Since, to initiate a VPN tunnel from the outside (re: Internet), the external interface of the device providing the tunnel requires a "real" address. Since the external interface of the Firewall/VPN is not real, the 2 external 3620's need to x-late a real life Internet address to the private (192.168.10.6) address.
On each of the 3620s, I've done this:
!
int e/o
ip nat inside
!
int s/0
ip nat outside
!
ip nat inside source static 182.168.10.6 12.12.12.12
!
I can authenticate successfully to the VPN endpoint (from both inside the "site" side and from the Internet), however, I cannot download the SercureRemote policy from the Internet but can from inside the network. I am running ACLs on the 3620s but disable them for testing/troubleshooting purposes.
Can you advise if this translation syntax is good or not before I take the question to Checkpoint? (a basic jist lesson in Cisco's NAT would be appreciated as well
) Bear in mind, I do not need to "hide" internal users (Checkpoint takes care of that). This is just to provide external users access to the external interface of the firewall/vpn object which resides *inside* the Cisco ring.
TIA.
-r
I'm new to Cisco NAT and have found the documentation quite confusing. I'm firing up a VPN tunnell (client-to-site) using Checkpoint's SecureRemote and NG. The the site side, the NG box (VPN-1 and Firewall) are sitting behind 2 3620's running 12.2 that each have a pipe to our ISP. The two routers are HSRP-ing w/each other for failover/balancing. The internal eithernet interfaces of the routers are bound to a single virtual IP address (private..192.168.10.5). The external interface of the firewall is 192.168.10.6 (note to all...these IP addresses are FAKE to protect the innocent). Our users are hidden behind a NAT hide provide by the checkpoint box. We do not have any direct x-lates, save for a mail server. DMZ machines have "real" addresses.
Since, to initiate a VPN tunnel from the outside (re: Internet), the external interface of the device providing the tunnel requires a "real" address. Since the external interface of the Firewall/VPN is not real, the 2 external 3620's need to x-late a real life Internet address to the private (192.168.10.6) address.
On each of the 3620s, I've done this:
!
int e/o
ip nat inside
!
int s/0
ip nat outside
!
ip nat inside source static 182.168.10.6 12.12.12.12
!
I can authenticate successfully to the VPN endpoint (from both inside the "site" side and from the Internet), however, I cannot download the SercureRemote policy from the Internet but can from inside the network. I am running ACLs on the 3620s but disable them for testing/troubleshooting purposes.
Can you advise if this translation syntax is good or not before I take the question to Checkpoint? (a basic jist lesson in Cisco's NAT would be appreciated as well
) Bear in mind, I do not need to "hide" internal users (Checkpoint takes care of that). This is just to provide external users access to the external interface of the firewall/vpn object which resides *inside* the Cisco ring.TIA.
-r
