I hope this is the right place and that someone has come across this before as I don't have much hair left to pull out -- I'm trying to set up a tunnel between our Pix running 6.3.3 and a customer using a VPN3000.
The customer would like us to be able to do health checks on a device without allowing anything in from our private side network address range, just a single public IP address. We currently run a VPN to our disaster recovery site to allow for offsite replication, but the ACL on the other end of that VPN *does* allow for traffic from our private side network, so the config we had there wasn't all that helpful. Here's a snip of what I've been trying:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
name 172.16.1.48 Cust_DVR1
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 Cust_DVR1 255.255.255.255
access-list outside_cryptomap_30 permit ip 192.168.1.0 255.255.255.0 Cust_DVR1 255.255.255.255
ip address outside X.Y.Z.227 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
pdm location Cust_DVR1 255.255.255.255 outside
global (outside) 1 X.Y.Z.230
global (dmz1) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 set peer A.B.C.D <--- (public IP of customer device)
crypto map outside_map 30 match address centura_map_30
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp key ******** A.B.C.D netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
My hope was that anything on the 192.168.1.0/24 would be able to go out the outside interface as our one of our public IPs (i.e. X.Y.Z.230) but the traffic they're seeing on the other end is coming from the 192.168.1.0 network. I tried removing the inside_outbound_nat0_acl line thinking that it would then use the global but still not having any luck and the only difference I can see on Kiwi Syslogd is that the src_proxy changes to 0.0.0.0 where is has been showing my private side IP address (for the purposes of the config above we'll call it 192.168.1.135).
MANY THANKS FOR ANY HELP!
For example, you can NAT the traffic from your internal network through the tunnel when going to this customer.
In this way, they will see your internal network as a single IP.
Let's say, instead than they seeing your internal 192.168.1.0/24, tthey will see your traffic as X.Y.Z.227
Is this what you need?