NAT question, how to NAT internal subnet to another…

StefanSander · Sep 29, 2006, 10:25 PM

hi folks,

i need a little help with NAT…

Situation
i have my LAN on 192.168.0.0/24, the LAN of pfsense is
on 192.168.0.1. The WAN address of pfsense is 192.168.200.1/24, it's connected
to a cisco router on 192.168.200.100/24 which does split tunneling for our
customer network.

My problem now, our customer sais we have to NAT our
internal addresses to their 172.17.xxx.xx/29 network
before they reach the cisco router (split tunneling only works for these
172.17.xxx.xx /29 subnet addresses i suppose).

How exactly to do that? Is that possible at all to rewrite (NAT) addresses
from 192.168.0.0/24 to 172.17.xxx.xxx/29 and send them out on pfsense
WAN at 192.168.200.1/24 to an cisco which also is on 192.168.200.100?

I only want to NAT if the target ip is in the subnet of our customer, otherwise
the address should not be rewritten to be routet to our isp (the cisco does
ppp). For internet and so on the 192. is ok, just for our customer and
the split tunneling it has to be 172. (as far as i understood it).

Is it possible that 1:1 NAT is want i want? Will an IP that is NATed and
want to connect to the internet instead of our customer be routed
correctly?

thanks for reading

hoba · Sep 29, 2006, 10:27 PM

Not sure how you will send out trtaffic from a 172.17.x.x/29 adress to a gateway at 192.168.200.100/24. This is not possible as the routing won't work.

StefanSander · Sep 29, 2006, 10:38 PM

yes, exactly that is confusing me on the suggestion of our customer, so you agree
that this might be a mistake? it's definitly not possible to do that (at least it sounds
impossible…)?

hoba · Sep 29, 2006, 10:51 PM

unless the cisco has another additional IP to act as gateway for the 172.x.x.x subnet I don't see how that should work.

StefanSander · Sep 29, 2006, 10:56 PM

many thanks, i am going to ask if there is a gateway for the 172. subnet.

Would'nt it be a better solution to route everything normally to the cisco
router and let it decide on the target ip if it should build up a tunnel or
send normally via ppp?

hoba · Sep 29, 2006, 11:08 PM

It somehow sounds to me they are using the 192.ish adresses somewhere already and want/need you to nat to the 172. subnet to not cause conflicts. Hard to say without knowing all the details.

StefanSander · Sep 29, 2006, 11:13 PM

i will try to get more information from them, maybe they can clear this up.

thanks for your help!