cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
474
Views
0
Helpful
1
Replies

PIX 515E 6.3(5) VPN client NAT rule

born.jason
Level 1
Level 1

Hi,

i`m very new to pix and here my simple problem:

i have created a VPNClient pool from the same range as the internal ip range. For example 10.0.0.0 /24 with client VPN pool of 10.0.0.150 - 180. For this i have created a translation rule:

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0

this worked fine but now i don`t want a pool frome the same network like inside

Now i have created a different IP pool 192.168.1.150 - 180. But now i don`t know how the translation rule looks like?

Is this right?:

static (inside,outside) 10.0.0.0 192.168.1.0 netmask 255.255.255.0 0 0

I only want the the clients from outside can connect to the internal network

Hope someone could help.

1 Reply 1

Hi Jason,

You don't need translation for the VPN clients to access the internal LAN.

If the internal LAN is 10.0.0.0/24, and if the VPN pool 192.168.1.x, you can do the following:

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

The problem with the above command is that the internal 10.0.0.0/24 will not have Internet access.

Normally what you do is this:

access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

nat (inside) 1 10.0.0.0 255.255.255.0

global (outside) 1 interface

The above uses Policy NAT to bypass NAT between the internal network and the pool, and then PAT all the internal traffic to the internet.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: