Same-IF VPN with NAT?

Unanswered Question
Mar 4th, 2008
User Badges:

Can someone offer advice to whether this would work?

I have a 2-interface PIX 515E behind another firewall. I'd like to terminate the VPN on the outside interface, but have it on a NATted subnet (policy decision for avoiding same-subnet VPN issues), having NATs to both inside and outside machines. I am able to pass ipsec through the external firewall, so that is not an issue.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
husycisco Tue, 03/04/2008 - 09:08
User Badges:
  • Gold, 750 points or more

Hi Richard

As long as you do a one-to-one static mapping for the outside IP of PIX. But If you prefer PAT and forward ports of 1 global IP to outside interface of PIX, forward tcp 10000 and udp 4500. Have never tried with PAT before but may cause problems about GRE.


HairyM0nster Tue, 03/04/2008 - 09:20
User Badges:

Hi Huseyin

Getting the VPN up won't be a problem (At least I don't think it will!), but NATted subnet at the end of the tunnel with targets on both interfaces _might_ not work.

I'm trying to source a spare 515E with 8.x on to test, but in the meantime was seeing if anyone else had tried it. I don't really want to change the live system yet!

The live system does not perform any NATting at all presently; it's almost a fitering router.

husycisco Sat, 03/15/2008 - 08:00
User Badges:
  • Gold, 750 points or more

Let me understand correctly. Other VPN endpoint has a connected subnet which is same with your local subnet? So this will create return trip traffic issues if I understood correctly. You can try policy NAT at local device to change the source of the packets.


This Discussion