09-14-2006 12:11 AM - edited 02-21-2020 02:37 PM
Hi all,
We have currently a PIX in our LAN. There is a Site-to site VPN tunnel between this PIX and an other network in a foreign country.
We have several networks in our LAN.
The tunnel VPN concerns one network : 192.50.175.0 / 24.
and the network in the other site is :
192.100.24.0 /21
A part of the configuration:
access-list inside_nat0_outbound permit ip 192.50.175.0 255.255.255.0 192.100.24.0 255.255.248.0
nat (inside) 0 access-list inside_nat0_outbound
As i said before, we have several networks.
In particular, we have 192.50.160.0 /24 too.
And we would like that this network can use the tunnel VPN too.
But, the other site doesn't want to route our other network in their LAN.
They suggest us to NAT from 192.50.160.0 / 24 to an IP address on the 192.50.175.0 / 24, so users in network 192.50.160.0 / 24 can use the VPN tunnel too.
Do you know if it's possible to do that with my PIX? And how?
It's a PIX-515-DMZ, v6.3(5).
Any help would be much appreciated!
Thanks
Solved! Go to Solution.
09-14-2006 08:15 AM
Good point. You may be fine then.
09-14-2006 06:09 AM
This is possible via policy nat but there is a caveat. You can nat all hosts on your 192.50.160.0 to an available address on your 192.50.175.0 network. But they will not be able to elicit connections from the other side to these translated hosts.
Check out this guide:
HTH
09-14-2006 06:31 AM
Hi,
Thanks you for your answer but I have a doubt on how to configure the policy nat...
I think about something like that:
access-list NET1 permit ip 192.50.160.0 255.255.255.0 192.100.24.0 255.255.248.0
nat (inside) 11 access-list NET1
global (outside) 11 192.50.175.129 255.255.255.255
But I wonder if this configuration is OK.. can the IP address 192.50.175.129 (which is an available address on my inside network) be configured as a global address on the outside Interface ?
Thanks you by advance for your help!
Best wishes
09-14-2006 06:46 AM
You are right on. Only thing is that you have to make sure this nat 11 occurs before any other nat that might also include the source address that you want to policy nat. For example, if you have a config like:
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
(This is very common)
Then your policy nat won't work because it would match the nat 1 before nat 11. So if you have such a scenario you will have to move things around a bit. As always when working on nat config, you will want to clear xlate after making the changes.
HTH
09-14-2006 07:00 AM
Indeed, I have the two lines:
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface
However, are you sure that PIX will match the nat 1 before nat 11?
In the documentation of PIX 7.0, I read:
Order of NAT Commands Used to Match Real Addresses:
1. NAT exemption (nat 0 access-list)
2. Static NAT and Static PAT (regular and policy) (static)
3. Policy dynamic NAT (nat access-list)
4. Regular dynamic NAT (nat)
My PIX has version 6. But maybe it's the same?
Thanks you again for your help,
09-14-2006 08:15 AM
Good point. You may be fine then.
09-14-2006 11:50 PM
ok, I will try this configuration.
Thanks you again for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide