PIX - VPN NAT

Unanswered Question
Feb 11th, 2008
User Badges:

We have a Pix firewall running 6.3(3),currently it is configured so that inside desktops NAT as PIX Outside Interface IP and hit internet .We are planning to establish a Site-Site VPN btw us and another company ,The other company is insisting that we NAT the Desktops to Internet IP before entering the IPSEC Tunnel ,however desktops should continue to hit internet as PIX outside INT IP . Can you plz point me to a configuration example or commands that can make this happen . Thanks in Advance


Regards ,

Som

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 02/11/2008 - 13:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Som


You can use the same IP address attached to the Pix outside interface for both internet traffic and VPN traffic.


Nat happens before the traffic is encrypted and sent down the tunnel so the key thing is to make sure that your crypto access-list uses the public IP address rather than the private IP's. So lets say


local network = 192.168.5.0/24

remote network = 172.16.5.0/24


Public IP on outside of your PIX = 195.177.10.12


So when your clients go to the Internet they get natted to 195.177.10.12.


You can use this same address in your crypto access-list ie.


access-list vpn_traffic permit ip host 195.177.10.12 172.16.5.0 255.255.255.0


HTH


Jon

ciscosom Mon, 02/11/2008 - 13:35
User Badges:

Jon ,


Thanks for replying me , I think i did not explain it right ,the requirment of the Other Company is , Let say the Inside IP of the desktop ip 192.168.5.8 ,if it needs to hit the internet , Desktop will NAT's as 195.177.10.2 (pix Outside INT), however if it needs to go into the IPsec tunnel , it needs to NAT as 195.177.10.15 (for Eg). Is this do-able ?


Regards

Som


Jon Marshall Mon, 02/11/2008 - 13:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Som


Okay, i understand.


Yes this is possible. You need to use policy NAT. So


internal net = 192.168.5.0/24

remote net = 172.16.5.0/24

Public IP on pix = 195.177.10.15


access-list vpnnat permit ip 192.168.5.0 255.255.255.0 172.16.5.0 255.255.255.0


nat (inside) 2 access-list vpnnat

global (outside) 2 195.177.10.15


and then your crypto map access-list looks like


access-list vpntraffic permit ip host 195.177.10.15 172.16.5.0 255.255.255.0


Note that i have used nat (inside) 2 and global (outside) 2 ie. i have used the id of 2. You need to choose an id that is not currently in use.


HTH, let me know how you get on


Jon

Actions

This Discussion