PIX: NAT in Site to Site VPN

Unanswered Question
Jan 9th, 2009

Hi

Hopefully someone can confirm this is possible.

I have a PIX 525 running v7.2 and it terminates several Site-To-Site VPNs with other organisations who then use services hosted on a DMZ. That all works fine.

I'm connecting up another organisation who cannot route to private address space down a VPN at their end. That causes a problem, because the address they need to contact down the VPN is a private one.

So is it possible to do a NAT to one of our Internet addresses on the outside of the PIX, but still have them access it over the VPN?

There doesn't seem to be an equivalent config on the Cisco support examples and I've checked the Wiki, but couldn't find anything that matches this scenario.

Thanks

Chas

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 01/09/2009 - 14:27

Chas

Yes it is possible although if other companies are accessing the same server in it's private IP address that is going to be problematic.

Assuming it isn't lets say -

ptivate host at your end = 192.168.5.10

public IP you present it as to remote site - 212.12.12.1

Your crypto map access-list at your end would be

access-list vpntraffic permit ip host 212.12.12.1 17216.5.0 255.255.255.0

ie. the key thing is in your crypto map you need to reference the Natted IP address.

Jon

remote site subnet = 172.16.5.0/24

4c.gregory Fri, 01/09/2009 - 20:36

Jon

Thanks for the response.

Unfortunate other companies do access the private address down the Site-2-Site VPNs. What's the problematic bit?

So the NAT would be as normal? We already have this in place as one particular organisation accesses it using a static NAT as the protocol is SSL'ed already - something like:

static (inside,outside) 212.12.12.1 192.168.5.10 netmask 255.255.255.255

Regards

Chas

rkalia1 Sat, 01/17/2009 - 18:27

Chas use this:

access-list ext NAT permit ip host 192.168.5.10 172.16.5.0 255.255.255.0

static (inside,outside) 212.12.12.1 access-list NAT

Your Crypto access-list should be:

access-list ext vpntraffic permit host 212.12.12.1 172.16.5.0 255.255.255.0

Also, note that you need not put the traffic from 192.168.5.10 server to 172.16.5.0 n/w in NONAT access-list that you may have for VPN traffic that is non-nated.

Actions

This Discussion