I have setup a L2L VPN for a customer in which the vendor requires their IPs to be natted when they come across. So, I have setup policy nat on their pix for the L2L VPN. Here is a snip of the NAT config:
access-list nat-to-vendor permit ip 192.168.10.0 255.255.255.0 172.22.1.0 255.255.255.0
access-list nat-to-vendor permit ip 192.168.20.0 255.255.255.0 172.22.1.0 255.255.255.0
access-list nat-to-vendor permit ip 192.168.30.0 255.255.255.0 172.22.1.0 255.255.255.0
access-list nat-to-vendor permit ip 10.4.224.0 255.255.255.0 172.22.1.0 255.255.255.0
global (outside) 100 10.11.46.33-10.11.46.62 netmask 255.255.255.224
global (outside) 1 interface
global (outside) 2 x.x.x.x
global (outside) 3 y.y.y.y
global (dmz) 1 interface
nat (inside) 0 access-list nonatvpn
nat (inside) 100 access-list nat-to-vendor 0 0
nat (inside) 2 192.168.10.7 255.255.255.255 0 0
nat (inside) 3 192.168.10.40 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
The policy nat works, however, once a machine attempts a connection to the vendor using a 172.22.1.x destination address, it can no longer get to the internet. Checking the xlate table, there are 2 entries for the machine, one for the policy nat (ID 100) and one for the regular nat (ID 1). And, if I clear the xlate entry for the policy nat, the machine can then get to the internet. But, one ping to the 172.22.1.x network and internet access is lost. It is a PIX running 6.3(3).
Am I doing this wrong or does anyone have any other suggestions?
Thanks for the reply. However, I found that this issue is a bug in PIX version 6.3.3. The bug ID is CSCec63822. The work around is to use policy nat for the internet traffic, or upgrade. I used the workaround, somewhat similar to what you have proposed, and the issue was resolved.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...