01-23-2008 11:22 AM - edited 03-03-2019 08:23 PM
Hello,
Will the pix perform NAT before sending traffic to an IPSEC tunnel?
specifically:
========================================
name 172.28.2.24 EORLA
name 10.1.0.19 WHBIZTALK
access-list 150 permit ip host WHBIZTALK host EORLA
pdm location 172.28.2.24 255.255.255.255 outside
pdm location 10.1.0.19 255.255.255.255 inside
static (inside,outside) 10.230.32.11 10.1.0.19 netmask 255.255.255.255 0 0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map WDMHMAP 85 ipsec-isakmp
crypto map WDMHMAP 85 match address 150
crypto map WDMHMAP 85 set peer 10.24.8.17
crypto map WDMHMAP 85 set transform-set ESP-3DES-SHA
crypto map WDMHMAP interface outside
========================================
what I need to see in the ipsec tunnel is traffic with src = 10.230.32.11 and
dest = 172.28.2.24
thanks!
01-23-2008 12:18 PM
Based just upon the configuration that you have posted here, Yes, the IP Address 10.1.0.19 will be NATTed to 10.230.32.11.
Since you want to see IPSEC Tunnel with src = 10.230.32.11 and dest = 172.28.2.24, you need to reconfigure the ACL 150 to
access-list 150 permit ip host 10.230.32.11 host EORLA
Regards,
Arul
** Please rate if it helps **
01-23-2008 12:38 PM
I should clarify, the ipsec tunnel is an existing tunnel and has as its endpoints:
local: 10.230.32.3 ie. pix outside interface
remote: 10.24.8.17
...I want to direct traffic from 10.1.0.19 to 172.28.2.24 into the ipsec tunnel, but, I need to nat 10.1.0.19 to 10.230.32.11.
01-23-2008 02:08 PM
Hi
Yes you can NAT the source or destination IP addresses before they enter the IPSEC tunnel. The config above looks fine - is it not working ?
Jon
01-24-2008 05:45 AM
working fine, thanks very much !!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide