VPN - proxy public address for NAT

Unanswered Question
Dec 21st, 2009

I have a /29 public block on a PIX515

A partner says I must proxy/NAT one of the public IPs in the tunnel instead of the internal private addresses

Do I just need the additional global and a static NAT for the tunnel?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Mon, 12/21/2009 - 11:20

You would need to use policy nat/static nat in order to differentiate when traffic will use that IP address only when going to the tunnel, something like

access-list VPN permit ip

static (inside,outside) Y.Y.Y.Y acces-list VPN

and the crypto map will use that Y.Y.Y.Y as the source of the vpn traffic.

Now one little catch here, if you are going to use a single ip address, then PAT is required and the config will change, causing this not being bidirectional (only replies to traffic from your inside network will come back, not traffic originated from the remote network) for PAT use

access-list VPN permit ip

nat (inside) X access-list VPN

global (outside) X Y.Y.Y.Y

hth

Ivan

Actions

This Discussion