Solved: NAT and Site-to-site VPN

huynhkhay · ‎09-14-2006

Hi all,

We have currently a PIX in our LAN. There is a Site-to site VPN tunnel between this PIX and an other network in a foreign country.

We have several networks in our LAN.

The tunnel VPN concerns one network : 192.50.175.0 / 24.

and the network in the other site is :

192.100.24.0 /21

A part of the configuration:

access-list inside_nat0_outbound permit ip 192.50.175.0 255.255.255.0 192.100.24.0 255.255.248.0

nat (inside) 0 access-list inside_nat0_outbound

As i said before, we have several networks.

In particular, we have 192.50.160.0 /24 too.

And we would like that this network can use the tunnel VPN too.

But, the other site doesn't want to route our other network in their LAN.

They suggest us to NAT from 192.50.160.0 / 24 to an IP address on the 192.50.175.0 / 24, so users in network 192.50.160.0 / 24 can use the VPN tunnel too.

Do you know if it's possible to do that with my PIX? And how?

It's a PIX-515-DMZ, v6.3(5).

Any help would be much appreciated!

Thanks

mmorris11 · ‎09-14-2006

Good point. You may be fine then.

View solution in original post

mmorris11 · ‎09-14-2006

This is possible via policy nat but there is a caveat. You can nat all hosts on your 192.50.160.0 to an available address on your 192.50.175.0 network. But they will not be able to elicit connections from the other side to these translated hosts.

Check out this guide:

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113601

HTH

huynhkhay · ‎09-14-2006

Hi,

Thanks you for your answer but I have a doubt on how to configure the policy nat...

I think about something like that:

access-list NET1 permit ip 192.50.160.0 255.255.255.0 192.100.24.0 255.255.248.0

nat (inside) 11 access-list NET1

global (outside) 11 192.50.175.129 255.255.255.255

But I wonder if this configuration is OK.. can the IP address 192.50.175.129 (which is an available address on my inside network) be configured as a global address on the outside Interface ?

Thanks you by advance for your help!

Best wishes

mmorris11 · ‎09-14-2006

You are right on. Only thing is that you have to make sure this nat 11 occurs before any other nat that might also include the source address that you want to policy nat. For example, if you have a config like:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

(This is very common)

Then your policy nat won't work because it would match the nat 1 before nat 11. So if you have such a scenario you will have to move things around a bit. As always when working on nat config, you will want to clear xlate after making the changes.

HTH

huynhkhay · ‎09-14-2006

Indeed, I have the two lines:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 1 interface

However, are you sure that PIX will match the nat 1 before nat 11?

In the documentation of PIX 7.0, I read:

Order of NAT Commands Used to Match Real Addresses:

1. NAT exemption (nat 0 access-list)

2. Static NAT and Static PAT (regular and policy) (static)

3. Policy dynamic NAT (nat access-list)

4. Regular dynamic NAT (nat)

My PIX has version 6. But maybe it's the same?

Thanks you again for your help,

mmorris11 · ‎09-14-2006

Good point. You may be fine then.

huynhkhay · ‎09-14-2006

ok, I will try this configuration.

Thanks you again for your help!