cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
632
Views
0
Helpful
5
Replies

Policy NAT on VPN traffic exiting the PIX inside interface

millerw1
Level 1
Level 1

I currently have site to site VPN configured which works fine with the exception of policy NAT.  I want to be able to policy NAT traffic coming out of the VPN tunnel destined for the internal network.  For instance traffic from remote subnet x.x.x.x destined to y.y.y.5 would get NAT'd to the PIX inside interface IP address of y.y.y.1.

I am running Cisco PIX Firewall Version 6.3(5)

Any thoughts would be appreciated.  Thanks!

5 Replies 5

Hi,

So you want the ASA to decrypt the traffic, then NAT it when going to the internal network.

Don't you have the option to NAT it on the other side of the tunnel?

If not, I believe that with Policy NAT as you mentioned, it should work.

Federico.

Hi,

That is correct.  I was hoping to avoid NAT'ing on the other side of the tunnel if at all possible.  In most cases that is exactly what I would do but I have to NAT to an address on the same subnet as the PIX inside interface due to a host network limitation.

Here is the relevant part of the config which is not working:

access-list out-in-nat permit ip any host y.y.y.x

global (inside) 1 interface
nat (outside) 1 access-list out-in-nat 0 0

Try changing ''any'' from the ACL to the source network or address of the remote site.
Make sure that this traffic is not included in the NAT 0 access-list, because it will take
precedence.

Federico.

I tried changing the ACL but it is still not working.  I don't see any hits on the NAT ACL.

Did you verified that the traffic is not part of the NAT 0 ACL?

Could you post the output of:

sh run nat

sh run access-list

sh run static

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: