Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
294
Views
0
Helpful
2
Replies

Help with NAT outside and VPN

rtjensen4
Level 4
Level 4

‎08-29-2007 12:27 PM - edited ‎02-21-2020 03:14 PM

Hi,

I have a situation that requires me to NAT the source IPs that are coming through a VPN connnection.

My setup is as such:

A PIX501 acting as a concentrator for 5-6 VPNs (IPSEC) into my network. Just ONE of those VPNs that terminates on the PIX needs to have it's source IPs NATd to work on my network. The addresses coming across are 192.168.0.X and they need to be natted to 192.168.4.X

Now, I learned that I can use the following commands to take care of this problem (thanks jon.marshall):

global (inside) 3 192.168.4.17-192.168.4.31 netmask 255.255.255.0

global (inside) 3 192.168.4.16 netmask 255.255.255.255

nat (outside) 3 192.168.0.0 255.255.255.0 outside

From what I understand, the above statments will translate the addresses coming in through a VPN that are 192.168.0.0 to a 192.168.4.X address... 1 to 1 first, then overload the last address.

The above commands worked fine in a Lab situation, where I had only 1 VPN setup between two pixes. When we put the commands in to the production environment, all the other VPNs died. When we took out the nat(outside) 3 .... command, everything started to work again, except of course the VPN that needed the nat haha. Ideas?

Please note, The above commands are the ONLY commands that are global(inside) and nat(outside). Is there somthing that's missing? Do we need a nat(outside) 0 command of some sort maybe? Thanks in advance!

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎08-29-2007 01:02 PM

Hi Ryan

There should be no problems with this config as long as the other VPN source IP addresses don't conflict. We have a production firewall that has many VPN's, some translating the source IP's and some not.

Could you post the config (minus any sensitive info).

Note that you don't have to have any nat statements on the outside for VPN's that you don't want to NAT source IP's.

Other thing to do would be to add a second VPN in your lab environment that you aren't doing NAT on the source IP addresses and see if you can replicate the problem.

Jon

0 Helpful

rtjensen4
Level 4
Level 4
In response to Jon Marshall

‎08-30-2007 06:32 AM

Ok, I've taken out quite a bit of stuff... Hopefully not too much. The VPN in question is related to

Access-list 105

Global(inside) 3

Crypto map "MAP" section 50

The issue happens when we issue the nat (outside) 192.168.0.0 255.255.255.0 outside

command, this is what breaks everything.

Thanks in advance.

Preview file
8 KB
0 Helpful
Customers Also Viewed These Support Documents