Policy NAT over VPN

Unanswered Question
Nov 12th, 2007

Pix 525, OS 7.2(3)


I am trying to do the following:


Inside FTP-server 10.1.1.1

Outside NAT-address: 20.1.1.1

Remote Network: 172.16.1.0/24


VPN connection from remote network to outside NAT-adress that should be redirected to inside FTP-server.


I am trying to use the static command like this:

access-list Crypto_map extended permit ip host 20.1.1.1 172.16.1.0 255.255.255.0


access-list FTP_OVER_VPN extended permit IP host 10.1.1.1 172.16.1.0 255.255.255.0


static (inside,outside) 20.1.1.1 access-list FTP_OVER_VPN


The translation just don't work. Are there any better way to do this? I need to use Policy-NAt since i do not want the FTP-server to use the translated address any other time than over the VPN-tunnel.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
david.barroso Thu, 11/15/2007 - 04:45

I have a similar scenario but in my case I'm specifying the service:


My ssh server: 172.17.3.4

NATted IP: 172.23.133.4


access-list 112 permit tcp host 172.17.3.4 eq ssh object-group EDS_NETS

static (DMZ,outside) tcp 172.23.133.4 ssh access-list 112 0 0


In this case my DMZ network overlapped with another vlan in their side so I natted my host. I am not sure if it is necessary to specify the service to work. Have you checked that you do not have other static matching the host before the policy-based static rule?

Actions

This Discussion