Outbound PAT over IPSec Tunnel

Answered Question
Jul 26th, 2007

Hi,

Situation is office with private IP range with tunnel to 3rd party that already uses the same private range, but not with any of the hosts that we need to connect to. All traffic going from the office to the 3rd party needs to be secured.

We therefore want to setup an IPSec tunnel between the two sites (easy) and use PAT on the office PIX (6.3(5)) to make all traffic from the office to appear from a different private single address.

We've tried to do with with PDM, but it insists on having either not NAT (with an exclusion rule), or static NAT, but doesn't seem to allow PAT.

I've attached a sanitised copy of the office config. Any standard PIX parts have been deleted for brevity

I'd appreciate any constructive pointers on where I'm going wrong.

Cheers

Attachment: 
Correct Answer by sathishd-aus about 9 years 7 months ago

Hi,

The PIX/ASA will do the NAT translation on the below steps. first it will check whether any no nat ( no-nat control) is configured, then it will check the static nat translation and finally it will check the PAT translation.

In your configuration their is a ( NAT 0) command stating not to translate any ip address from the range 192.168.0.0 to the remote ip address, so the PIX won't do the translation and the packet is passed to the destination.

Remove the ( NAT 0) command and change the outside_cryptomap_10 access-list with the patted ip to the remote ip address because this access-list is responsible for interesting traffic that needs to be encrypted.

pls check and rever back.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
sathishd-aus Fri, 07/27/2007 - 01:12

Hi,

The PIX/ASA will do the NAT translation on the below steps. first it will check whether any no nat ( no-nat control) is configured, then it will check the static nat translation and finally it will check the PAT translation.

In your configuration their is a ( NAT 0) command stating not to translate any ip address from the range 192.168.0.0 to the remote ip address, so the PIX won't do the translation and the packet is passed to the destination.

Remove the ( NAT 0) command and change the outside_cryptomap_10 access-list with the patted ip to the remote ip address because this access-list is responsible for interesting traffic that needs to be encrypted.

pls check and rever back.

ArneLovius Fri, 07/27/2007 - 07:48

Hi,

Many thanks for your explanation, I manually removed the NAT 0 and modified the outside_cryptomap and it now works perfectly.

I was a little surprised that PDM can't do this type of configuration, but thanks to you I now have a much better understanding.

Cheers

Arne

Actions

This Discussion