IPSec VPN with No-Nat and No-Nat

Answered Question
Jun 10th, 2010
User Badges:

On a PIX 515 6.3(5) I currently have an IPSec VPN configured with no-nat, using all public IPs internally and on the remote. Can I add two hosts to the encryption domain that have private IP's and NAT them to the Public IP in the the same Crypto Map? What commands would be involved in this?


Current config:

-------

access-list ipsectraffic_boston permit ip host PublicIP11 host PublicIP1

access-list ipsectraffic_boston permit ip host PublicIP22 host PublicIP2

access-list outside2_outbound_nat0_acl permit ip host PublicIP host PublicIP


crypto map mymap 305 match address ipsectraffic_boston           
crypto map mymap 305 set peer IPAdd.          
crypto map mymap 305 set transform-set ESP-3DES-SHA           
crypto map mymap 305 set security-association lifetime seconds 86400 kilobytes 4608000

---------


I'd like to add two private IP to the "access-list ipsectraffic_boston" and have it NAT to a public IP, as the remote site is requesting I NOT use private IP's. Doing this would save the effort to add a Public IP to my internal host.


Thanks,

Dan

Correct Answer by Federico Coto F... about 6 years 9 months ago

Hi,


If for example you have an internal host 192.168.1.1 and you want to NAT it to public IP 200.1.1.1

You can do a static NAT:

static (in,out) 200.1.1.1 192.168.1.1


And, include the 200.1.1.1 in the crypto ACL.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Federico Coto F... Thu, 06/10/2010 - 13:18
User Badges:
  • Green, 3000 points or more

Hi,


If for example you have an internal host 192.168.1.1 and you want to NAT it to public IP 200.1.1.1

You can do a static NAT:

static (in,out) 200.1.1.1 192.168.1.1


And, include the 200.1.1.1 in the crypto ACL.


Federico.

pdvcisco Thu, 06/10/2010 - 14:39
User Badges:

Frederico,


Seems straight forward. Thanks.


Dan

Actions

This Discussion

Related Content