Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Nat VPN address on Pix 515E

I have an internal address 192.168.1.16 but we want the other end of the VPN tunnel to communicate with 172.16.5.1 instead and use NAT because of an overlapping address range. Does anyone have a an example configuration of something like this.

4 REPLIES
Hall of Fame Super Blue

Re: Nat VPN address on Pix 515E

FW1 = firewall at site where 192.168.1.16 is.

FW2 = firewall at remote end

Config bits that are needed for the NAT setup and the VPN crypto map

FW1

static (inside,outside) 172.16.5.1 192.168.1.16

access-list vpntraffic permit ip host 172.16.5.1 host 192.168.1.16

crypto map vpnmap 1 match address vpntraffic

FW2

access-list vpntraffic permit ip host 192.168.1.16 host 172.16.5.1

crypto map vpnmap 1 match address vpntraffic

Note that the 192.168.1.16 referenced in FW2 config is actually a client machine behind FW2 and not the 192.168.1.16 machine behind FW1.

Jon

New Member

Re: Nat VPN address on Pix 515E

Hi Jon, bschear I'm sorry to gatecrash your post but I have to configure a setup with cisco encryption routers on either end of my VPN tunnel.

The 3rd party parners have a firewall connected to the encryption router (which is my tunnel endpoint) and they are NAT'ing their internal addresses so I'm a bit confused as to how I set up the acl's for interesting traffic on my side.

Do I permit access to the NAT'ed or original addresses?

Is there anything I need to configure on my router regarding the NAT'ing on the other end of the tunnel?

Again, I'm sorry for posting my question here but I thought i'd be quicker to get a response as you obviously know about VPN's and NAT configuration.

Mant thanks,

Martha.

Hall of Fame Super Blue

Re: Nat VPN address on Pix 515E

Martha

You need to use the natted address in your access-list for the interesting traffic because you will never see the 3rd parties internal addresses.

Jon

New Member

Re: Nat VPN address on Pix 515E

Thanks Jon for the prompt response, that is what I put in my access-list but its not working. I will troubleshoot further with the 3rd party company as I'm pretty sure my config is fine.

Thanks again,

Martha.

98
Views
0
Helpful
4
Replies