cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
349
Views
0
Helpful
2
Replies

Policy nat for L2L and external access

rtjensen4
Level 4
Level 4

Hello,

I'm running into an interesting issue with a PIX 506E 6.3(4)

I created a VPN back to our central location, and implemented a policy-nat on the 506E to nat their local 192.168.1.0/24 IPs to 10.200.25.0/24. This NATing works fine except for the servers that also have a static external IP. I did some packet captures, and traffic is traversing the VPN as expected and making it to the remote end, but the replies are being nat'd to the "outside" ip of the host instead of the policy nat. I can ping other hosts on the remote network just fine from the central location, just not the ones that have a static external IP address.

Example:

10.10.7.1 is at my central site and tries to ping a server with an IP of 10.200.25.11 across the VPN. Traffic leaves the central site, is encrypted, and delivered to the remote firewall. THe remote firewall translates 10.200.25.11 -> 192.168.1.11 (THe server's REAL IP) and delivers the packet, and the server responds, but replies are being nat'd to it's public ip of 75.X.X.X instead of 10.200.25.11.

Any thoughs on how I can get around this issue?

Here's the relevant config:

access-list policy-nat line 1 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list policy-nat line 2 permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list policy-nat line 3 permit ip 192.168.1.0 255.255.255.0 10.10.7.0 255.255.255.0

access-list vpn-nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list vpn-nonat permit ip 192.168.1.0 255.255.255.0 172.16.100.0 255.255.255.0

access-list vpn-nonat permit ip 192.168.1.0 255.255.255.0 10.100.11.0 255.255.255.0

nat (inside) 0 access-list vpn-nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 1 interface

static (inside,outside) 75.x.x.x 192.168.1.11 netmask 255.255.255.255 0 0

static (inside,outside) 10.200.25.0 access-list policy-nat 0 0

1 Accepted Solution

Accepted Solutions

Ivan Martinon
Level 7
Level 7

Try reordering your static rules:

Make the static policy the first one to be read by the pix

static (inside,outside) 10.200.25.0 access-list policy-nat 0 0

static (inside,outside) 75.x.x.x 192.168.1.11 netmask 255.255.255.255 0 0

See how that goes

View solution in original post

2 Replies 2

Ivan Martinon
Level 7
Level 7

Try reordering your static rules:

Make the static policy the first one to be read by the pix

static (inside,outside) 10.200.25.0 access-list policy-nat 0 0

static (inside,outside) 75.x.x.x 192.168.1.11 netmask 255.255.255.255 0 0

See how that goes

Hey, that worked. Thanks! I didn't realize that the statements would be followed in order. Learn somthing new every day.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: