×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX v6.3 Site to Site with Policy NAT

Answered Question
Nov 12th, 2013
User Badges:

Hi guys,


I need to set up a site to site with nat because we have overlapping subnet on the other end.

They need to access two servers on our network with static IPs.


Site A: 192.168.100.0/24

Site B: 192.168.200.128/25

The other site has picked this network for NAT: 10.200.50.0/28


I need to translate

192.168.100.10 > 10.200.50.2

192.168.100.20 > 10.200.50.3

through the tunnel



This is what I've done so far, will this work? Any problem that could appear with this config?


Crypto ACL:

access-list VPN permit ip 10.200.50.0 255.255.255.240 192.168.200.128 255.255.255.128


access-list Policy_NAT1 permit ip host 192.168.100.10 192.168.200.128 255.255.255.128

access-list Policy_NAT2 permit ip host 192.168.100.20 192.168.200.128 255.255.255.128


nat (inside) 10 access-list Policy_NAT1 0 0

nat (inside) 11 access-list Policy_NAT2 0 0

global (outside) 10 10.200.50.2

global (outside) 11 10.200.50.3




Thanks in advance!

Correct Answer by Jouni Forss about 3 years 9 months ago

Hi,


Your configuration seems fine.


Though I guess its a Dynamic Policy NAT/PAT configuration.


Incase you wanted to configure Static Policy NAT you would have to change it a bit. I mean if you wanted a NAT configuration that would enable bidirectional connection forming. Both from your site to the remote site and from the remote site to your side. You could still use the same ACLs you have configured but you would be using them in "static" configurations.


static (inside,outside) 10.200.50.2 access-list Policy_NAT1

static (inside,outside) 10.200.50.3 access-list Policy_NAT2


The consideration with both the Static Policy NAT and Dynamic Policy NAT/PAT would be that if these hosts have Static NAT configured to the direction of the "outside" interface then that Static NAT would override both of these configurations.


If you were using Dynamic Policy NAT and had a Static NAT also for the host then you would have to change to using the above mentioned Static Policy NAT to be able to override the Static NAT.


And with the above in mind the possible existing Static NAT and new Static Policy NAT might have some problems together also. In that case the ordering of the NAT rules would determine if the Static Policy NAT was ever applied. If you had the Static NAT configured already then it would override the new Static Policy NAT. The solution would be to remove the Static NAT and enter it again. This would move the Static NAT after the Static Policy NAT in the order they show up on the CLI format configuration and therefore Static Policy NAT would work for the destination addresses specified and the Static NAT for all the other destination addresses.


Hope I made any sense


Feel free to ask more if needed though


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jouni Forss Tue, 11/12/2013 - 10:00
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Your configuration seems fine.


Though I guess its a Dynamic Policy NAT/PAT configuration.


Incase you wanted to configure Static Policy NAT you would have to change it a bit. I mean if you wanted a NAT configuration that would enable bidirectional connection forming. Both from your site to the remote site and from the remote site to your side. You could still use the same ACLs you have configured but you would be using them in "static" configurations.


static (inside,outside) 10.200.50.2 access-list Policy_NAT1

static (inside,outside) 10.200.50.3 access-list Policy_NAT2


The consideration with both the Static Policy NAT and Dynamic Policy NAT/PAT would be that if these hosts have Static NAT configured to the direction of the "outside" interface then that Static NAT would override both of these configurations.


If you were using Dynamic Policy NAT and had a Static NAT also for the host then you would have to change to using the above mentioned Static Policy NAT to be able to override the Static NAT.


And with the above in mind the possible existing Static NAT and new Static Policy NAT might have some problems together also. In that case the ordering of the NAT rules would determine if the Static Policy NAT was ever applied. If you had the Static NAT configured already then it would override the new Static Policy NAT. The solution would be to remove the Static NAT and enter it again. This would move the Static NAT after the Static Policy NAT in the order they show up on the CLI format configuration and therefore Static Policy NAT would work for the destination addresses specified and the Static NAT for all the other destination addresses.


Hope I made any sense


Feel free to ask more if needed though


- Jouni

Robin Olofsson Wed, 11/20/2013 - 08:27
User Badges:

Hi Jouni,


Sorry for the late reply, everything worked properly so i forgot about the thread! :-)


Thank you very much though, I made the change for the nat to static as you said. And it works!

Jouni Forss Wed, 11/20/2013 - 08:31
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Thank you for informing us how it went.


Great to hear it worked


- Jouni

Actions

This Discussion