Nat VPN address on Pix 515E

Unanswered Question
Apr 22nd, 2009
User Badges:

I have an internal address 192.168.1.16 but we want the other end of the VPN tunnel to communicate with 172.16.5.1 instead and use NAT because of an overlapping address range. Does anyone have a an example configuration of something like this.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 04/22/2009 - 05:43
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

FW1 = firewall at site where 192.168.1.16 is.

FW2 = firewall at remote end


Config bits that are needed for the NAT setup and the VPN crypto map


FW1


static (inside,outside) 172.16.5.1 192.168.1.16


access-list vpntraffic permit ip host 172.16.5.1 host 192.168.1.16


crypto map vpnmap 1 match address vpntraffic


FW2


access-list vpntraffic permit ip host 192.168.1.16 host 172.16.5.1


crypto map vpnmap 1 match address vpntraffic


Note that the 192.168.1.16 referenced in FW2 config is actually a client machine behind FW2 and not the 192.168.1.16 machine behind FW1.


Jon

mfawehin Wed, 04/22/2009 - 22:54
User Badges:

Hi Jon, bschear I'm sorry to gatecrash your post but I have to configure a setup with cisco encryption routers on either end of my VPN tunnel.

The 3rd party parners have a firewall connected to the encryption router (which is my tunnel endpoint) and they are NAT'ing their internal addresses so I'm a bit confused as to how I set up the acl's for interesting traffic on my side.

Do I permit access to the NAT'ed or original addresses?

Is there anything I need to configure on my router regarding the NAT'ing on the other end of the tunnel?

Again, I'm sorry for posting my question here but I thought i'd be quicker to get a response as you obviously know about VPN's and NAT configuration.


Mant thanks,

Martha.

Jon Marshall Thu, 04/23/2009 - 01:49
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Martha


You need to use the natted address in your access-list for the interesting traffic because you will never see the 3rd parties internal addresses.


Jon

mfawehin Thu, 04/23/2009 - 04:15
User Badges:

Thanks Jon for the prompt response, that is what I put in my access-list but its not working. I will troubleshoot further with the 3rd party company as I'm pretty sure my config is fine.


Thanks again,

Martha.

Actions

This Discussion