03-25-2008 11:19 AM - edited 02-21-2020 03:38 PM
I need to setup a LAN to LAN tunnel between my Pix515e 6.3(4) and an unknown remote Cisco device. The network admin at our parent company in France will be setting up their end, which is the unknown device.
Currently the PIX performs NAT between our private internal addresses to our Public external address.
For this IPSec tunnel, I need our PIX to NAT one private /24 subnet to another private /24 subnet before IPSec.
For example,
If I have an internal subnet 192.168.0.x. When traffic needs to go to France (10.40.1.x) via an IPSec tunnel, I want our Pix to NAT 192.168.0.x to 10.40.2.x prior to sending it through IPSec.
A) Is this possible?
B) What would my IPSEC ACL Look like for interesting traffic? Would it be 10.40.2.x 10.40.1.x?
We are trying to work around an overlapping subnet issue. The France side already has an IPSec tunnel to a location that overlaps with us.
I thought I read somewhere that IPSec happens before NAT which would indicate the ACL would need to be 192.168.0.x to 10.40.1.x. This might be an issue on the France side is they already have an ACL t0 192.168.0.x.
I sure hope this makes sense.
Denny
Solved! Go to Solution.
03-25-2008 11:57 AM
Denny
Policy NAT bit first
access-list PNAT permit ip 192.168.0.0 255.255.255.0 10.40.1.0 255.255.255.0
nat (inside) 3 access-list PNAT
global (outside) 3 10.40.2.1-10.40.2.254 netmask 255.255.255.0
The above will NAT your LAN ip addresses to 10.40.2.x only when the traffic destination is 10.40.1.x. I used 3 as the nat and global id - choose one not in use on your firewall.
Your crypto map access-list for interesting traffic should be
access-list VPNTRAFFIC permit ip 10.40.2.0 255.255.255.0 10.40.1.0 255.255.255.0
HTH
Jon
03-25-2008 11:57 AM
Denny
Policy NAT bit first
access-list PNAT permit ip 192.168.0.0 255.255.255.0 10.40.1.0 255.255.255.0
nat (inside) 3 access-list PNAT
global (outside) 3 10.40.2.1-10.40.2.254 netmask 255.255.255.0
The above will NAT your LAN ip addresses to 10.40.2.x only when the traffic destination is 10.40.1.x. I used 3 as the nat and global id - choose one not in use on your firewall.
Your crypto map access-list for interesting traffic should be
access-list VPNTRAFFIC permit ip 10.40.2.0 255.255.255.0 10.40.1.0 255.255.255.0
HTH
Jon
03-25-2008 12:08 PM
That is exactly what I was looking for.
Thank you,
Denny.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide