PIX VPN / NAT problem

kasame141006 · ‎11-19-2006

hi all,

i am trying to configure a vpn setup, where i have configured the crypto map and isakmp configuration but as for the acl and natting problem, i face the following issue.

I want to establish a VPN tunnel from a PIX to another IPSec gateway that the local host IP gets natted as following:

Local Host: 172.16.10.1. This host should be

natted to an IP, say, 10.10.10.2

Destination host: 172.20.10.2

Remote Peer: 209.206.81.71

User from 172.16.10.1 should only be able to access the FTP service on the destination host.

Could someone advise me on the config to be done on the PIX? I know the IKE and IPSec config to be done but how do I handle access-lists and NAT?

kasame141006 · ‎11-19-2006

hi all,

for those who were unable to understand my question and even for those were about to answer. I have finally completed what i wanted to do. so i thought i should share it.

i did the following:

\\-Define a conditional nat process to nat 172.16.10.1 to 10.10.10.2, but only if going to destination 172.20.10.2

access-list conditional_nat permit ip host 172.16.10.1 host 172.20.10.2

global (outside) 20 x.x.10.2

nat (inside) 20 access-list conditional_nat

\\-Define traffic to be encrypted. This now includes the natted 10.10.10.2 address and not the original host IP

access-list special_vpn permit ip host 10.10.10.2 host 172.20.10.2

crypto map yourmap match address special_vpn

crypto map yourmap set peer 209.x.x.71

\\-- restrict outbound VPN to only ftp

access-list outbound_restrict permit tcp host 172.16.10.1 host 172.20.10.2 eq ftp

access-list outbound_restrict permit tcp host 172.16.10.1 host 172.20.10.2 eq ftp-data

access-list outbound_restrict deny ip host 172.16.10.1 host 172.20.10.2

access-list outbound_restrict permit ip any any

access-group outbound_restrict in interface inside

hope this helps to anyone like me.