PIX: NAT in Site to Site VPN

Unanswered Question
Jan 9th, 2009
User Badges:

Hi


Hopefully someone can confirm this is possible.


I have a PIX 525 running v7.2 and it terminates several Site-To-Site VPNs with other organisations who then use services hosted on a DMZ. That all works fine.


I'm connecting up another organisation who cannot route to private address space down a VPN at their end. That causes a problem, because the address they need to contact down the VPN is a private one.


So is it possible to do a NAT to one of our Internet addresses on the outside of the PIX, but still have them access it over the VPN?


There doesn't seem to be an equivalent config on the Cisco support examples and I've checked the Wiki, but couldn't find anything that matches this scenario.


Thanks

Chas


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 01/09/2009 - 14:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Chas


Yes it is possible although if other companies are accessing the same server in it's private IP address that is going to be problematic.


Assuming it isn't lets say -


ptivate host at your end = 192.168.5.10


public IP you present it as to remote site - 212.12.12.1


Your crypto map access-list at your end would be


access-list vpntraffic permit ip host 212.12.12.1 17216.5.0 255.255.255.0


ie. the key thing is in your crypto map you need to reference the Natted IP address.


Jon


remote site subnet = 172.16.5.0/24

4c.gregory Fri, 01/09/2009 - 20:36
User Badges:

Jon


Thanks for the response.


Unfortunate other companies do access the private address down the Site-2-Site VPNs. What's the problematic bit?


So the NAT would be as normal? We already have this in place as one particular organisation accesses it using a static NAT as the protocol is SSL'ed already - something like:


static (inside,outside) 212.12.12.1 192.168.5.10 netmask 255.255.255.255


Regards

Chas

rkalia1 Sat, 01/17/2009 - 18:27
User Badges:

Chas use this:


access-list ext NAT permit ip host 192.168.5.10 172.16.5.0 255.255.255.0


static (inside,outside) 212.12.12.1 access-list NAT


Your Crypto access-list should be:

access-list ext vpntraffic permit host 212.12.12.1 172.16.5.0 255.255.255.0


Also, note that you need not put the traffic from 192.168.5.10 server to 172.16.5.0 n/w in NONAT access-list that you may have for VPN traffic that is non-nated.

Actions

This Discussion