nat and ipsec on pix 6.2

Unanswered Question
Jan 23rd, 2008

Hello,

Will the pix perform NAT before sending traffic to an IPSEC tunnel?

specifically:

========================================

name 172.28.2.24 EORLA

name 10.1.0.19 WHBIZTALK

access-list 150 permit ip host WHBIZTALK host EORLA

pdm location 172.28.2.24 255.255.255.255 outside

pdm location 10.1.0.19 255.255.255.255 inside

static (inside,outside) 10.230.32.11 10.1.0.19 netmask 255.255.255.255 0 0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map WDMHMAP 85 ipsec-isakmp

crypto map WDMHMAP 85 match address 150

crypto map WDMHMAP 85 set peer 10.24.8.17

crypto map WDMHMAP 85 set transform-set ESP-3DES-SHA

crypto map WDMHMAP interface outside

========================================

what I need to see in the ipsec tunnel is traffic with src = 10.230.32.11 and

dest = 172.28.2.24

thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Wed, 01/23/2008 - 12:18

Based just upon the configuration that you have posted here, Yes, the IP Address 10.1.0.19 will be NATTed to 10.230.32.11.

Since you want to see IPSEC Tunnel with src = 10.230.32.11 and dest = 172.28.2.24, you need to reconfigure the ACL 150 to

access-list 150 permit ip host 10.230.32.11 host EORLA

Regards,

Arul

** Please rate if it helps **

dsandre-toh Wed, 01/23/2008 - 12:38

I should clarify, the ipsec tunnel is an existing tunnel and has as its endpoints:

local: 10.230.32.3 ie. pix outside interface

remote: 10.24.8.17

...I want to direct traffic from 10.1.0.19 to 172.28.2.24 into the ipsec tunnel, but, I need to nat 10.1.0.19 to 10.230.32.11.

Jon Marshall Wed, 01/23/2008 - 14:08

Hi

Yes you can NAT the source or destination IP addresses before they enter the IPSEC tunnel. The config above looks fine - is it not working ?

Jon

Actions

This Discussion