NAT prior to entering the VPN tunnel

pthomsett · ‎07-28-2003

We have a number of remote PIX sites that we want to connect to a central site VPN concentrator. As the remote sites are not under our control some of them have overlapping addressing. Is it possible to NAT packets destined for the tunnel prior to entering it..? If so how is this done..?

NAT or PAT may be running seperatly on un-encrypted traffic destined for the internet so we want to keep our Nat seperate from this (possibly supply our own address scheme for them to follow).

Rgds

Paul

gfullage · ‎07-28-2003

This will be possible with policy NAT in 6.3(2) code in the PIX, due out in a week or so.

This works similar to a "nat 0 access-list" command, but allows you to actually NAT the traffic based on source and destination, rather than just source.

Let's say your local network is 10.1.1.0/24 and the remote network is 10.2.2.0/24, but you want to change the 10.1.1.0/24 traffic to 10.3.3.1. Something like the following will do the trick:

access-list 100 permit 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

nat (inside) 50 access-list 100

global (outside) 50 10.3.3.1

Then encrypt the already-NAT'd traffic with:

access-list crypto host 10.3.3.1 10.2.2.0 255.255.255.0

nat (inside) 0 access-list crypto

crypto map mymap 10 ipsec-isakmp

crypto map mymap set peer ....

crypto map mymap 10 match address crypto

crypto map mymap set transform-set ....

pbunchuk · ‎08-11-2003

How is this done between routers? I have to NAT 4 of my inside addresses to global outside addresses and then send out a tunnel to a vendor. This will take place on a router that I currently have a tunnel to another location.