Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
544
Views
0
Helpful
2
Replies

NAT over IPsec L2L with PIX

kerek
Level 4
Level 4

‎06-04-2008 05:42 AM - edited ‎02-21-2020 03:45 PM

Hi,

I have the following challange and I can solve it partially only.

Scenario:

I need to connect two sites through ipsec L2L and apply some NAT back and forth.

The remote network is 10.1.0.0/24 my inside network is 192.168.1.0/24. The remote site cannot send traffic to 192.168.1.0 because this subnet is used on their network. So they are going to send the traffic to 10.10.1.1 for ftp and 10.10.1.2 for http. On my side I have 192.168.1.30 as ftp and 192.168.1.31 as http server. On my side when the traffic comes I have to translate the destination of 10.10.1.1 and 10.10.1.2 to 192.168.1.30 and 192.168.1.31 respectively.

I also have to send back some traffic to the remote site with source of 10.10.1.3 (from 192.168.1.30 and 192.168.1.31). So it means it is some kind of asymetric NAT. The question is whether it is possible or not? If possible how to approach it?

Thanks,

Krisztian

Labels:
0 Helpful
2 Replies 2

JORGE RODRIGUEZ
Level 10
Level 10

‎06-04-2008 01:50 PM

Kristian,

You can apply the overlapping networks strategy in your scenario, you will need policy nat. I've created a draft script bu if I have the time I will tested, however, it should be along those lines, look at the example link.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

You could have these acls for your tunnel.

access-list new extended permit ip 10.10.1.1 255.255.255.255 10.1.0.0 255.255.255.0

access-list new extended permit ip 10.10.1.2 255.255.255.255 10.1.0.0 255.255.255.0

access-list policy-nat_FTP extended permit ip 192.168.1.30 255.255.255.255 10.1.0.0 255.255.255.0

access-list policy-nat_HTTP extended permit ip 192.168.1.31 255.255.255.255 10.1.0.0 255.255.255.0

static (inside,outside) 10.10.1.1 access-list policy-nat_FTP

static (inside,outside) 10.10.1.2 access-list policy-nat_HTTP

Rgds

-Jorge

Jorge Rodriguez
0 Helpful

kerek
Level 4
Level 4
In response to JORGE RODRIGUEZ

‎06-04-2008 10:17 PM

Hi Jorge,

Thank you for your reply. I have also found that link but it seems that scenario is working only in case of the traffic going from my side (let say this is PAX-A) to the remote however I need the opposite. It is mentioned that if there is traffic coming back to the translated address (in my case 10.10.1.1, and .2) it will not reach the inside network. Do you know any other way to achieve this?

Thanks,

Krisztian

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents