NAT question, how to NAT internal subnet to another…



  • hi folks,

    i need a little help with NAT…

    Situation
    i have my LAN on 192.168.0.0/24, the LAN of pfsense is
    on 192.168.0.1. The WAN address of pfsense is 192.168.200.1/24, it's connected
    to a cisco router on 192.168.200.100/24 which does split tunneling for our
    customer network.

    My problem now, our customer sais we have to NAT our
    internal addresses to their 172.17.xxx.xx/29 network
    before they reach the cisco router (split tunneling only works for these
    172.17.xxx.xx /29 subnet addresses i suppose).

    How exactly to do that? Is that possible at all to rewrite (NAT) addresses
    from 192.168.0.0/24 to 172.17.xxx.xxx/29 and send them out on pfsense
    WAN at 192.168.200.1/24 to an cisco which also is on 192.168.200.100?

    I only want to NAT if the target ip is in the subnet of our customer, otherwise
    the address should not be rewritten to be routet to our isp (the cisco does
    ppp). For internet and so on the 192. is ok, just for our customer and
    the split tunneling it has to be 172. (as far as i understood it).

    Is it possible that 1:1 NAT is want i want? Will an IP that is NATed and
    want to connect to the internet instead of our customer be routed
    correctly?

    thanks for reading



  • Not sure how you will send out trtaffic from a 172.17.x.x/29 adress to a gateway at 192.168.200.100/24. This is not possible as the routing won't work.



  • yes, exactly that is confusing me on the suggestion of our customer, so you agree
    that this might be a mistake? it's definitly not possible to do that (at least it sounds
    impossible…)?



  • unless the cisco has another additional IP to act as gateway for the 172.x.x.x subnet I don't see how that should work.



  • many thanks, i am going to ask if there is a gateway for the 172. subnet.

    Would'nt it be a better solution to route everything normally to the cisco
    router and let it decide on the target ip if it should build up a tunnel or
    send normally via ppp?



  • It somehow sounds to me they are using the 192.ish adresses somewhere already and want/need you to nat to the 172. subnet to not cause conflicts. Hard to say without knowing all the details.



  • i will try to get more information from them, maybe they can clear this up.

    thanks for your help!


Log in to reply