VPN - proxy public address for NAT

Unanswered Question
Dec 21st, 2009
User Badges:

I have a /29 public block on a PIX515

A partner says I must proxy/NAT one of the public IPs in the tunnel instead of the internal private addresses

Do I just need the additional global and a static NAT for the tunnel?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Mon, 12/21/2009 - 11:20
User Badges:
  • Cisco Employee,

You would need to use policy nat/static nat in order to differentiate when traffic will use that IP address only when going to the tunnel, something like


access-list VPN permit ip


static (inside,outside) Y.Y.Y.Y acces-list VPN


and the crypto map will use that Y.Y.Y.Y as the source of the vpn traffic.


Now one little catch here, if you are going to use a single ip address, then PAT is required and the config will change, causing this not being bidirectional (only replies to traffic from your inside network will come back, not traffic originated from the remote network) for PAT use



access-list VPN permit ip


nat (inside) X access-list VPN

global (outside) X Y.Y.Y.Y


hth

Ivan

Actions

This Discussion