PIX L2L VPN nat issue

Unanswered Question
Jul 5th, 2007
User Badges:

Maybe I'm being thick about this. I need to send traffic through a L2L IPSEC tunnel to a remote office location. My issue is this: I need to send a private subnet (10.5.1.0/24) through my L2L tunnel and then NAT that subnet to a public IP. I'm sure I need to use a static because my traffic is terminating on my outside interface at the remote site. I just can't seem to get my thinking straight on this one. Any ideas?


Thanks,

Chris

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 07/05/2007 - 22:52
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Chris


Just to clarify. Do you want to NAT the traffic to a public IP address before it goes down the tunnel or after it has got to the remote end. if at the remote end do you want it natted before it goes through the remote end firewall to the internal LAN.


Jon

chrismoore63 Fri, 07/06/2007 - 06:56
User Badges:

I need to NAT the private traffic after it comes out of the IPSEC tunnel at my remote site. I'll then route it to an internal (higher security level) interface. I was thinking I could take that subnet and just NAT it to the address of the interface I'd send it out, but I thought your source IP address had to match for you to do policy NAT static statements. Am I missing something? I have to believe I'm making this more difficult than it has to be...

Jon Marshall Fri, 07/06/2007 - 12:09
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Chris


nat (outside) 1 10.5.1.0 255.255.255.0 outside

global (inside) 1 interface


Does this sound right. I get the feeling i'm still not fully understanding your situation but the above would NAT all your 10.5.1.x address to the IP address of the inside interface after being decrypted at the remote end.


Jon

chrismoore63 Fri, 07/06/2007 - 12:21
User Badges:

Can you reverse the NAT and Global statements like that on the interfaces? I thought you had to use a static statement to go from a lower security level to a higher security level. I haven't seen any examples of that on Cisco or anywhere else. If I'm able to do that, then that's exactly what I'm looking for. I need to PAT that private subnet to a public IP to route it to a partner network as they don't permit private IPs to be routed across their network. Will I still need to have statics involved or will the PIX know it needs to do reverse (outside?) NAT?


Thanks,

Chris

Jon Marshall Fri, 07/06/2007 - 12:52
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Chris


We are talking pix/asa here aren't we ? And we are tlakin gbout Natting your source IP addresses right ?


If so, yes absolutely you can do this as i have done it many times in production environments.


No you won't need statics. You do generally need a static to go from lower to higher but remember that is for the destination IP.


Your'e not concerned with the destination IP addresses, you are only concerned with natting the source IP addresses.


Edit - just make sure on your NAT statement that it end with "outside" as in the above example. This is how the pix knows to nat in that direction in effect.


Jon

Actions

This Discussion