Same-IF VPN with NAT?

HairyM0nster · ‎03-04-2008

Can someone offer advice to whether this would work?

I have a 2-interface PIX 515E behind another firewall. I'd like to terminate the VPN on the outside interface, but have it on a NATted subnet (policy decision for avoiding same-subnet VPN issues), having NATs to both inside and outside machines. I am able to pass ipsec through the external firewall, so that is not an issue.

husycisco · ‎03-04-2008

Hi Richard

As long as you do a one-to-one static mapping for the outside IP of PIX. But If you prefer PAT and forward ports of 1 global IP to outside interface of PIX, forward tcp 10000 and udp 4500. Have never tried with PAT before but may cause problems about GRE.

Regards

HairyM0nster · ‎03-04-2008

Hi Huseyin

Getting the VPN up won't be a problem (At least I don't think it will!), but NATted subnet at the end of the tunnel with targets on both interfaces _might_ not work.

I'm trying to source a spare 515E with 8.x on to test, but in the meantime was seeing if anyone else had tried it. I don't really want to change the live system yet!

The live system does not perform any NATting at all presently; it's almost a fitering router.

husycisco · ‎03-15-2008

Let me understand correctly. Other VPN endpoint has a connected subnet which is same with your local subnet? So this will create return trip traffic issues if I understood correctly. You can try policy NAT at local device to change the source of the packets.

HairyM0nster · ‎03-17-2008

Policy NAT seems to be doing it just right, thanks.