03-04-2008 02:13 AM - edited 02-21-2020 03:36 PM
Can someone offer advice to whether this would work?
I have a 2-interface PIX 515E behind another firewall. I'd like to terminate the VPN on the outside interface, but have it on a NATted subnet (policy decision for avoiding same-subnet VPN issues), having NATs to both inside and outside machines. I am able to pass ipsec through the external firewall, so that is not an issue.
03-04-2008 09:08 AM
Hi Richard
As long as you do a one-to-one static mapping for the outside IP of PIX. But If you prefer PAT and forward ports of 1 global IP to outside interface of PIX, forward tcp 10000 and udp 4500. Have never tried with PAT before but may cause problems about GRE.
Regards
03-04-2008 09:20 AM
Hi Huseyin
Getting the VPN up won't be a problem (At least I don't think it will!), but NATted subnet at the end of the tunnel with targets on both interfaces _might_ not work.
I'm trying to source a spare 515E with 8.x on to test, but in the meantime was seeing if anyone else had tried it. I don't really want to change the live system yet!
The live system does not perform any NATting at all presently; it's almost a fitering router.
03-15-2008 08:00 AM
Let me understand correctly. Other VPN endpoint has a connected subnet which is same with your local subnet? So this will create return trip traffic issues if I understood correctly. You can try policy NAT at local device to change the source of the packets.
03-17-2008 05:28 AM
Policy NAT seems to be doing it just right, thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide