PDA

View Full Version : problem with nat for overlapping address help pls



sebastan_bach
2008-04-22, 14:22
hi all i am trying to figure out how to allow traffic between overlapping address with nat.

here;s my setup.

inside-router -------FW-INTERNAL-INT
outside-router------fw-external-int
dmz-router---------fw-dmz-int

my FW is running on SPLAT.

inside router interface ip is 10.1.1.254 and fw internal int ip is 10.1.1.100/24.
inside router is having a loopback with address 40.1.1.1/24.
inside router is having a default route pointing to 10.1.1.100.

dmz router interface ip is 30.1.1.2 and fw dmz interface ip is 30.1.1.1/24.
dmz router is having a loopback interface with ip 40.1.1.1/24.
dmz router is having a default route pointing to 30.1.1.1.

fw external interface ip is 1.1.1.1/24.
outside router interface ip is 1.1.1.2/24.
outside router is having a loopback interface and address is 100.1.1.1/24.

on the FW i added routes for 40.1.1.0/24 pointing to 10.1.1.254 and a another route for same 40.1.1.0/24 pointing to 30.1.1.2 and a default route pointing to the outside router at 1.1.1.2

now i want to allow the overlapping loopbacks on the inside router and dmz router to talk to each other.

for the topology configuration for anti-spoofing.

i created network-objects and called them in groups.

network object1 = insidenet1 = 10.1.1.0/24
network object2 = insidenet2 = 40.1.1.0/24
network object3 = dmznet1 = 30.1.1.0/24
network object4 = dmznet2 = 40.1.1.0/24

created a group called insidenetwork and called insidenet1 and insidenet2 in them.

created another group called dmznetwork and called dmznet1 and dmznet2 in them.

in the topology configuration of the module. for the internal interface i selected internal interface and the in the specified networks i selected the group insidenetwork and did the same for the dmz interface selected as interface leads to dmz and specified the group dmznetwork.

i wanted the insidenet2 to reach dmznet2 by the ip address 192.168.2.0/24.
similarly dmznet2 would reach insidenet2 by the ip address 192.168.1.0/24

i created 2 network objects

1) staticnet1 192.169.1.0/24
2) staticnet2 192.168.2.0/24

i created 2 manual static nat rules.

rule 1

in the original packet the source is insidenet2 and destination is staticnet2.
in the translated packet the source is staticnet1 and destination is dmznet2.

rule 2

in the original packet the source is dmznet2 and destination is staticnet1
in the translated packet the source is staticnet2 and destination is insidenet2.

i have created 2 security rules .

rule first permit source insidenet1 to destination staticnet2 service any.
rule second permit source dmznet2 to destination staticnet1 service any.

it;s not working .

with this config when i try telnet to 192.168.2.1 with the source of 40.1.1.1 it is telnetting to it;s own address of 40.1.1.1.


i am not able to figure it out where i am going wrong with this. i couldn;t find any good configuration examples on the same. can someone pls help me out with this.

regards

sebastan