Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco PIX VPN "Interesting" traffic

Hello.

I have a Cisco PIX 501 with a 50 user license. I have been asked to setup a site-to-site VPN with another firewall.

My issue is that the other site is requesting that I NAT the device they want to communicate with (only 1 host) with the same IP address as the only one the WAN side of my PIX.

Is this possible? If not, can it be done if I have another public IP address available?

Example (IP Addresses have been modified)

LAN IP - 192.168.1.0 /24

WAN IP 66.179.42.74 /29

The device on the LAN that they want to communicate with is 192.168.1.10

Thanks,

Eric Hanke

5 REPLIES
Gold

Re: Cisco PIX VPN "Interesting" traffic

if you're using the outside IP of the PIX for global PAT (e.g. - global (outside) 1 interface), you're better off using a different address, but yes, it can be done.

you will need to use policy nat.

your crypto acl (interesting traffic acl) will be based on the public/nat'ed IP of the server.

Green

Re: Cisco PIX VPN "Interesting" traffic

Like Steven said, you're better off using another ip. Something like this would work...

x.x.x.x = some other address

access-list vpn_nat permit ip host 192.168.1.10

access-list crypto permit ip host x.x.x.x

static (inside,outside) x.x.x.x access-list vpn_nat

This will allow the remote site to communicate with 192.168.1.10 by using x.x.x.x.

New Member

Re: Cisco PIX VPN "Interesting" traffic

The problem is that the other side will not allow me to use an RFC 1918 address. They want me to NAT the private IP address of the server 192.168.1.10 to the public IP address of the firewall.

Re: Cisco PIX VPN "Interesting" traffic

Hi Eric,

access-list Pol_Nat permit ip host 192.168.1.10 remotesitenetwork remotesitenetmask

static (inside, outside) yourdesiredpublicip access-list Pol_Nat

access-list interesting_traffic permit ip host yourdesiredpublicip remotesitenetwork remotesitenetmask

crypto map xxx xxx match address interesting_traffic

Regards

New Member

Re: Cisco PIX VPN "Interesting" traffic

Dear Mr. Eric,

As far as I get your query, this is not an issue at all, actually your other side want you to NAT the host which is in your side to an IP that they may provide you most probably its their LAN IP, so you simply NAT that host to an IP that they provide you.

Thanks & Regards,

Rashid Ghazanfar

290
Views
0
Helpful
5
Replies
CreatePlease to create content