04-11-2008 11:27 AM - edited 03-11-2019 05:30 AM
Hello.
I have a Cisco PIX 501 with a 50 user license. I have been asked to setup a site-to-site VPN with another firewall.
My issue is that the other site is requesting that I NAT the device they want to communicate with (only 1 host) with the same IP address as the only one the WAN side of my PIX.
Is this possible? If not, can it be done if I have another public IP address available?
Example (IP Addresses have been modified)
LAN IP - 192.168.1.0 /24
WAN IP 66.179.42.74 /29
The device on the LAN that they want to communicate with is 192.168.1.10
Thanks,
Eric Hanke
04-11-2008 11:38 AM
if you're using the outside IP of the PIX for global PAT (e.g. - global (outside) 1 interface), you're better off using a different address, but yes, it can be done.
you will need to use policy nat.
your crypto acl (interesting traffic acl) will be based on the public/nat'ed IP of the server.
04-11-2008 11:43 AM
Like Steven said, you're better off using another ip. Something like this would work...
x.x.x.x = some other address
access-list vpn_nat permit ip host 192.168.1.10
access-list crypto permit ip host x.x.x.x
static (inside,outside) x.x.x.x access-list vpn_nat
This will allow the remote site to communicate with 192.168.1.10 by using x.x.x.x.
04-11-2008 12:22 PM
The problem is that the other side will not allow me to use an RFC 1918 address. They want me to NAT the private IP address of the server 192.168.1.10 to the public IP address of the firewall.
04-11-2008 03:27 PM
Hi Eric,
access-list Pol_Nat permit ip host 192.168.1.10 remotesitenetwork remotesitenetmask
static (inside, outside) yourdesiredpublicip access-list Pol_Nat
access-list interesting_traffic permit ip host yourdesiredpublicip remotesitenetwork remotesitenetmask
crypto map xxx xxx match address interesting_traffic
Regards
04-11-2008 07:47 PM
Dear Mr. Eric,
As far as I get your query, this is not an issue at all, actually your other side want you to NAT the host which is in your side to an IP that they may provide you most probably its their LAN IP, so you simply NAT that host to an IP that they provide you.
Thanks & Regards,
Rashid Ghazanfar
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: