Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
299
Views
0
Helpful
4
Replies

Nat VPN address on Pix 515E

bschear
Level 1
Level 1

‎04-22-2009 05:34 AM - edited ‎03-11-2019 08:21 AM

I have an internal address 192.168.1.16 but we want the other end of the VPN tunnel to communicate with 172.16.5.1 instead and use NAT because of an overlapping address range. Does anyone have a an example configuration of something like this.

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎04-22-2009 05:43 AM

FW1 = firewall at site where 192.168.1.16 is.

FW2 = firewall at remote end

Config bits that are needed for the NAT setup and the VPN crypto map

FW1

static (inside,outside) 172.16.5.1 192.168.1.16

access-list vpntraffic permit ip host 172.16.5.1 host 192.168.1.16

crypto map vpnmap 1 match address vpntraffic

FW2

access-list vpntraffic permit ip host 192.168.1.16 host 172.16.5.1

crypto map vpnmap 1 match address vpntraffic

Note that the 192.168.1.16 referenced in FW2 config is actually a client machine behind FW2 and not the 192.168.1.16 machine behind FW1.

Jon

0 Helpful

mfawehin
Level 1
Level 1
In response to Jon Marshall

‎04-22-2009 10:54 PM

Hi Jon, bschear I'm sorry to gatecrash your post but I have to configure a setup with cisco encryption routers on either end of my VPN tunnel.

The 3rd party parners have a firewall connected to the encryption router (which is my tunnel endpoint) and they are NAT'ing their internal addresses so I'm a bit confused as to how I set up the acl's for interesting traffic on my side.

Do I permit access to the NAT'ed or original addresses?

Is there anything I need to configure on my router regarding the NAT'ing on the other end of the tunnel?

Again, I'm sorry for posting my question here but I thought i'd be quicker to get a response as you obviously know about VPN's and NAT configuration.

Mant thanks,

Martha.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to mfawehin

‎04-23-2009 01:49 AM

Martha

You need to use the natted address in your access-list for the interesting traffic because you will never see the 3rd parties internal addresses.

Jon

0 Helpful

mfawehin
Level 1
Level 1
In response to Jon Marshall

‎04-23-2009 04:15 AM

Thanks Jon for the prompt response, that is what I put in my access-list but its not working. I will troubleshoot further with the 3rd party company as I'm pretty sure my config is fine.

Thanks again,

Martha.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card