Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Is Site-to-Site VPN using NAT possible?

How do I establish site-to-site VPN connection in PIX 515E using valid IP addresses.

Normally site-to-site VPNs are established using private IP subnets.

How is it done using public Ips.

Reagrds

Mahavir

3 REPLIES
Silver

Re: Is Site-to-Site VPN using NAT possible?

The same way - have crypto access lists classify the traffic you want to encrypt. I have done site to site with legit netblocks on both sides, and with rfc 1918 addresses no natted on one end.

New Member

Re: Is Site-to-Site VPN using NAT possible?

Thanks for that.

What I want to do is nat a whole subnet of my network- ( one of the VLANs) to a valid IP then create an access-list accordingly to encrypt the traffic.

So can I use a dynamic natting orPAT) for establishing a site0to-site VPN.

Thanks

Regards

Mahavir

Silver

Re: Is Site-to-Site VPN using NAT possible?

global (outside) 5 123.123.123.123 netmask 255.255.255.0

nat (inside) 5 192.168.1.0 255.255.255.0

"5" links that nat statement to that global. Thus, for that subnet, we have enabled PAT for internet access.

Then you can add nat (inside) 0 access-list statements , whose ACL statements exclude destination subnets for natting. You can use these same ACLs as crypto acls when you configure your tunnels. That way nat is not used for the site to site tunnel

106
Views
0
Helpful
3
Replies
CreatePlease to create content