Nat VPN address on Pix 515E

Unanswered Question
Apr 22nd, 2009

I have an internal address 192.168.1.16 but we want the other end of the VPN tunnel to communicate with 172.16.5.1 instead and use NAT because of an overlapping address range. Does anyone have a an example configuration of something like this.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 04/22/2009 - 05:43

FW1 = firewall at site where 192.168.1.16 is.

FW2 = firewall at remote end

Config bits that are needed for the NAT setup and the VPN crypto map

FW1

static (inside,outside) 172.16.5.1 192.168.1.16

access-list vpntraffic permit ip host 172.16.5.1 host 192.168.1.16

crypto map vpnmap 1 match address vpntraffic

FW2

access-list vpntraffic permit ip host 192.168.1.16 host 172.16.5.1

crypto map vpnmap 1 match address vpntraffic

Note that the 192.168.1.16 referenced in FW2 config is actually a client machine behind FW2 and not the 192.168.1.16 machine behind FW1.

Jon

mfawehin Wed, 04/22/2009 - 22:54

Hi Jon, bschear I'm sorry to gatecrash your post but I have to configure a setup with cisco encryption routers on either end of my VPN tunnel.

The 3rd party parners have a firewall connected to the encryption router (which is my tunnel endpoint) and they are NAT'ing their internal addresses so I'm a bit confused as to how I set up the acl's for interesting traffic on my side.

Do I permit access to the NAT'ed or original addresses?

Is there anything I need to configure on my router regarding the NAT'ing on the other end of the tunnel?

Again, I'm sorry for posting my question here but I thought i'd be quicker to get a response as you obviously know about VPN's and NAT configuration.

Mant thanks,

Martha.

Jon Marshall Thu, 04/23/2009 - 01:49

Martha

You need to use the natted address in your access-list for the interesting traffic because you will never see the 3rd parties internal addresses.

Jon

mfawehin Thu, 04/23/2009 - 04:15

Thanks Jon for the prompt response, that is what I put in my access-list but its not working. I will troubleshoot further with the 3rd party company as I'm pretty sure my config is fine.

Thanks again,

Martha.

Actions

This Discussion