cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
578
Views
0
Helpful
7
Replies

NAT Traffic on Pix 515E (6.3.5) before Tunnel

scoutert24
Level 1
Level 1

I have several clients using Pix Tunnels for site to site connections. I have one client who cannot route my internal network address space do to an overlap issue. I have tried to setup the nat, but the traffic is not changing to the NAT address.

Here are the entry's I used (the tunnel is working):

access-list outside_cryptomap_1400 permit ip host 64.x.x.5 142.x.x.86 255.255.255.255

access-list inside-outbound_nat3_acl permit ip 10.0.0.0 255.0.0.0 142.x.x.86 255.255.255.255

nat (inside) 3 access-list inside-outbound_nat3_acl

global (outside) 3 64.x.x.5

Any help would be appriciated!

Thanks,

Robert

7 Replies 7

mark.j.hodge
Level 3
Level 3

Try using a static mapping rather than a NAT to the outside interface.

jmia
Level 7
Level 7

Robert,

Posted the following not so long ago (Policy NAT), should do the trick for you...

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.1dde284a/3#selected_message

Hope it helps and please rate posts if it does!!

Jay

This did not work, my problem is that my Nat ACL is getting Hits, but that is where it looks like the traffic stops.

Here is my Configs:

access-list inside-outbound_nat3_acl permit ip 10.x.x.0 255.0.0.0 142.x.x.86 255.255.255.255

access-list outside_cryptomap_1400 permit ip host 64.x.x.5 142.x.x.86 255.255.255.255

global (outside) 3 64.x.x.5

nat (inside) 3 access-list inside-outbound_nat3_acl

crypto map outside_map 1400 ipsec-isakmp

crypto map outside_map 1400 match address outside_cryptomap_1400

crypto map outside_map 1400 set peer 199.x.x.23

crypto map outside_map 1400 set transform-set ESP-3DES-MD5

crypto map outside_map 1400 interface outside

isakmp policy 1400 authentication pre-share

isakmp policy 1400 encryption 3des

isakmp policy 1400 hash md5

isakmp policy 1400 group 2

isakmp policy 1400 lifetime 86400

Any other ideas?

Thanks,

Robert

have you done any debugging or do you have any logs that you can post?

I have just been watching counts on access lists, do you have any other ideas on how to debug the issue?

I just started picking up the Network devices at my company, since our last Network Engineer moved on.

Robert

Attached, working configuration of policy NAT VPN in my lab. Thing to note:

If there's another IPSec tunnel that uses NAT exemption, there will be a "nat (inside) 0 access-list ..." line in the existing configuration.

The access-list this references needs a deny added to it that specifies any traffic from the LAN side going to the peer inside subnet is ignored, otherwise the NAT will not happen.

Hope this helps!

Jay

I tried this, but it did not work, here is my running config...

Robert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: