After Tunnel Ends, Need to NAT and Forward Packets

Unanswered Question
Mar 23rd, 2007
User Badges:

Hi Everyone:

This is my secon post, desperatlely need to know whether or not what I'm attempting is even possible.

I have a Pix into which both remote access and site-to-site tunnel sessions terminate (via RAN and Outside interfaces).

Users are currently able to access resouces directly connected to the PIX (eg. Servers in the DMZ).

I now want to give said users access to a remote office. For this, I want to forward packets out another interface (call it RAN2) to a IPSEC router that starts a new tunnel across the internet.

The trick is, I want to overload Nat (PAT) all forwarded packets so their source address becomes RAN2's address. This would simplify the crypto ACL on the IPSEC router (and its remote peer) as we wouln't have to contend with multiple address (ip local pools, private LAN addresses from the pix).

I'm challenged on how to configure the NAT global pair in the PIX to effect the nat. Eg. the following doesn't work:

nat (ran) 5 pool_subnet

nat (outside) 5 pool2_subnet 255.255.0 //the pix coughs at this

global (ran2) 5 interface //I've tried with actual IP address as well.

Any assistance would be greately appreciated

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
shiprider Mon, 04/02/2007 - 08:21
User Badges:


Thanks for the response. Thats what I eventually ended up doing. Only downside, too many statics...but it works.



This Discussion