cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
486
Views
0
Helpful
5
Replies

Cisco PIX VPN "Interesting" traffic

eric_hanke
Level 1
Level 1

Hello.

I have a Cisco PIX 501 with a 50 user license. I have been asked to setup a site-to-site VPN with another firewall.

My issue is that the other site is requesting that I NAT the device they want to communicate with (only 1 host) with the same IP address as the only one the WAN side of my PIX.

Is this possible? If not, can it be done if I have another public IP address available?

Example (IP Addresses have been modified)

LAN IP - 192.168.1.0 /24

WAN IP 66.179.42.74 /29

The device on the LAN that they want to communicate with is 192.168.1.10

Thanks,

Eric Hanke

5 Replies 5

srue
Level 7
Level 7

if you're using the outside IP of the PIX for global PAT (e.g. - global (outside) 1 interface), you're better off using a different address, but yes, it can be done.

you will need to use policy nat.

your crypto acl (interesting traffic acl) will be based on the public/nat'ed IP of the server.

Like Steven said, you're better off using another ip. Something like this would work...

x.x.x.x = some other address

access-list vpn_nat permit ip host 192.168.1.10

access-list crypto permit ip host x.x.x.x

static (inside,outside) x.x.x.x access-list vpn_nat

This will allow the remote site to communicate with 192.168.1.10 by using x.x.x.x.

The problem is that the other side will not allow me to use an RFC 1918 address. They want me to NAT the private IP address of the server 192.168.1.10 to the public IP address of the firewall.

Hi Eric,

access-list Pol_Nat permit ip host 192.168.1.10 remotesitenetwork remotesitenetmask

static (inside, outside) yourdesiredpublicip access-list Pol_Nat

access-list interesting_traffic permit ip host yourdesiredpublicip remotesitenetwork remotesitenetmask

crypto map xxx xxx match address interesting_traffic

Regards

Dear Mr. Eric,

As far as I get your query, this is not an issue at all, actually your other side want you to NAT the host which is in your side to an IP that they may provide you most probably its their LAN IP, so you simply NAT that host to an IP that they provide you.

Thanks & Regards,

Rashid Ghazanfar

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: