01-23-2008 11:22 AM - edited 03-03-2019 08:23 PM
Hello,
Will the pix perform NAT before sending traffic to an IPSEC tunnel?
specifically:
========================================
name 172.28.2.24 EORLA
name 10.1.0.19 WHBIZTALK
access-list 150 permit ip host WHBIZTALK host EORLA
pdm location 172.28.2.24 255.255.255.255 outside
pdm location 10.1.0.19 255.255.255.255 inside
static (inside,outside) 10.230.32.11 10.1.0.19 netmask 255.255.255.255 0 0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map WDMHMAP 85 ipsec-isakmp
crypto map WDMHMAP 85 match address 150
crypto map WDMHMAP 85 set peer 10.24.8.17
crypto map WDMHMAP 85 set transform-set ESP-3DES-SHA
crypto map WDMHMAP interface outside
========================================
what I need to see in the ipsec tunnel is traffic with src = 10.230.32.11 and
dest = 172.28.2.24
thanks!
01-23-2008 12:18 PM
Based just upon the configuration that you have posted here, Yes, the IP Address 10.1.0.19 will be NATTed to 10.230.32.11.
Since you want to see IPSEC Tunnel with src = 10.230.32.11 and dest = 172.28.2.24, you need to reconfigure the ACL 150 to
access-list 150 permit ip host 10.230.32.11 host EORLA
Regards,
Arul
** Please rate if it helps **
01-23-2008 12:38 PM
I should clarify, the ipsec tunnel is an existing tunnel and has as its endpoints:
local: 10.230.32.3 ie. pix outside interface
remote: 10.24.8.17
...I want to direct traffic from 10.1.0.19 to 172.28.2.24 into the ipsec tunnel, but, I need to nat 10.1.0.19 to 10.230.32.11.
01-23-2008 02:08 PM
Hi
Yes you can NAT the source or destination IP addresses before they enter the IPSEC tunnel. The config above looks fine - is it not working ?
Jon
01-24-2008 05:45 AM
working fine, thanks very much !!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: