nat and ipsec on pix 6.2

Unanswered Question
Jan 23rd, 2008
User Badges:

Hello,


Will the pix perform NAT before sending traffic to an IPSEC tunnel?



specifically:


========================================

name 172.28.2.24 EORLA

name 10.1.0.19 WHBIZTALK


access-list 150 permit ip host WHBIZTALK host EORLA


pdm location 172.28.2.24 255.255.255.255 outside

pdm location 10.1.0.19 255.255.255.255 inside


static (inside,outside) 10.230.32.11 10.1.0.19 netmask 255.255.255.255 0 0


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map WDMHMAP 85 ipsec-isakmp

crypto map WDMHMAP 85 match address 150

crypto map WDMHMAP 85 set peer 10.24.8.17

crypto map WDMHMAP 85 set transform-set ESP-3DES-SHA

crypto map WDMHMAP interface outside

========================================



what I need to see in the ipsec tunnel is traffic with src = 10.230.32.11 and

dest = 172.28.2.24


thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Wed, 01/23/2008 - 12:18
User Badges:
  • Cisco Employee,

Based just upon the configuration that you have posted here, Yes, the IP Address 10.1.0.19 will be NATTed to 10.230.32.11.


Since you want to see IPSEC Tunnel with src = 10.230.32.11 and dest = 172.28.2.24, you need to reconfigure the ACL 150 to


access-list 150 permit ip host 10.230.32.11 host EORLA


Regards,

Arul


** Please rate if it helps **


dsandre-toh Wed, 01/23/2008 - 12:38
User Badges:

I should clarify, the ipsec tunnel is an existing tunnel and has as its endpoints:


local: 10.230.32.3 ie. pix outside interface

remote: 10.24.8.17


...I want to direct traffic from 10.1.0.19 to 172.28.2.24 into the ipsec tunnel, but, I need to nat 10.1.0.19 to 10.230.32.11.




Jon Marshall Wed, 01/23/2008 - 14:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Yes you can NAT the source or destination IP addresses before they enter the IPSEC tunnel. The config above looks fine - is it not working ?


Jon

Actions

This Discussion