Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1333
Views
0
Helpful
2
Replies

IPSec VPN with No-Nat and No-Nat

Go to solution
pdvcisco
Level 1
Level 1

‎06-10-2010 01:13 PM - edited ‎02-21-2020 04:41 PM

On a PIX 515 6.3(5) I currently have an IPSec VPN configured with no-nat, using all public IPs internally and on the remote. Can I add two hosts to the encryption domain that have private IP's and NAT them to the Public IP in the the same Crypto Map? What commands would be involved in this?

Current config:

-------

access-list ipsectraffic_boston permit ip host PublicIP11 host PublicIP1

access-list ipsectraffic_boston permit ip host PublicIP22 host PublicIP2

access-list outside2_outbound_nat0_acl permit ip host PublicIP host PublicIP

crypto map mymap 305 match address ipsectraffic_boston           
crypto map mymap 305 set peer IPAdd.          
crypto map mymap 305 set transform-set ESP-3DES-SHA           
crypto map mymap 305 set security-association lifetime seconds 86400 kilobytes 4608000

---------

I'd like to add two private IP to the "access-list ipsectraffic_boston" and have it NAT to a public IP, as the remote site is requesting I NOT use private IP's. Doing this would save the effort to add a Public IP to my internal host.

Thanks,

Dan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎06-10-2010 01:18 PM

Hi,

If for example you have an internal host 192.168.1.1 and you want to NAT it to public IP 200.1.1.1

You can do a static NAT:

static (in,out) 200.1.1.1 192.168.1.1

And, include the 200.1.1.1 in the crypto ACL.

Federico.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎06-10-2010 01:18 PM

Hi,

If for example you have an internal host 192.168.1.1 and you want to NAT it to public IP 200.1.1.1

You can do a static NAT:

static (in,out) 200.1.1.1 192.168.1.1

And, include the 200.1.1.1 in the crypto ACL.

Federico.

0 Helpful

Go to solution
pdvcisco
Level 1
Level 1
In response to Federico Coto Fajardo

‎06-10-2010 02:39 PM

Frederico,

Seems straight forward. Thanks.

Dan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents