PIX - VPN NAT

Unanswered Question
Feb 11th, 2008

We have a Pix firewall running 6.3(3),currently it is configured so that inside desktops NAT as PIX Outside Interface IP and hit internet .We are planning to establish a Site-Site VPN btw us and another company ,The other company is insisting that we NAT the Desktops to Internet IP before entering the IPSEC Tunnel ,however desktops should continue to hit internet as PIX outside INT IP . Can you plz point me to a configuration example or commands that can make this happen . Thanks in Advance

Regards ,

Som

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 02/11/2008 - 13:19

Hi Som

You can use the same IP address attached to the Pix outside interface for both internet traffic and VPN traffic.

Nat happens before the traffic is encrypted and sent down the tunnel so the key thing is to make sure that your crypto access-list uses the public IP address rather than the private IP's. So lets say

local network = 192.168.5.0/24

remote network = 172.16.5.0/24

Public IP on outside of your PIX = 195.177.10.12

So when your clients go to the Internet they get natted to 195.177.10.12.

You can use this same address in your crypto access-list ie.

access-list vpn_traffic permit ip host 195.177.10.12 172.16.5.0 255.255.255.0

HTH

Jon

ciscosom Mon, 02/11/2008 - 13:35

Jon ,

Thanks for replying me , I think i did not explain it right ,the requirment of the Other Company is , Let say the Inside IP of the desktop ip 192.168.5.8 ,if it needs to hit the internet , Desktop will NAT's as 195.177.10.2 (pix Outside INT), however if it needs to go into the IPsec tunnel , it needs to NAT as 195.177.10.15 (for Eg). Is this do-able ?

Regards

Som

Jon Marshall Mon, 02/11/2008 - 13:40

Som

Okay, i understand.

Yes this is possible. You need to use policy NAT. So

internal net = 192.168.5.0/24

remote net = 172.16.5.0/24

Public IP on pix = 195.177.10.15

access-list vpnnat permit ip 192.168.5.0 255.255.255.0 172.16.5.0 255.255.255.0

nat (inside) 2 access-list vpnnat

global (outside) 2 195.177.10.15

and then your crypto map access-list looks like

access-list vpntraffic permit ip host 195.177.10.15 172.16.5.0 255.255.255.0

Note that i have used nat (inside) 2 and global (outside) 2 ie. i have used the id of 2. You need to choose an id that is not currently in use.

HTH, let me know how you get on

Jon

Actions

This Discussion