07-28-2003 02:58 AM - edited 02-21-2020 12:41 PM
We have a number of remote PIX sites that we want to connect to a central site VPN concentrator. As the remote sites are not under our control some of them have overlapping addressing. Is it possible to NAT packets destined for the tunnel prior to entering it..? If so how is this done..?
NAT or PAT may be running seperatly on un-encrypted traffic destined for the internet so we want to keep our Nat seperate from this (possibly supply our own address scheme for them to follow).
Rgds
Paul
07-28-2003 04:24 PM
This will be possible with policy NAT in 6.3(2) code in the PIX, due out in a week or so.
This works similar to a "nat 0 access-list" command, but allows you to actually NAT the traffic based on source and destination, rather than just source.
Let's say your local network is 10.1.1.0/24 and the remote network is 10.2.2.0/24, but you want to change the 10.1.1.0/24 traffic to 10.3.3.1. Something like the following will do the trick:
access-list 100 permit 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 50 access-list 100
global (outside) 50 10.3.3.1
Then encrypt the already-NAT'd traffic with:
access-list crypto host 10.3.3.1 10.2.2.0 255.255.255.0
nat (inside) 0 access-list crypto
crypto map mymap 10 ipsec-isakmp
crypto map mymap set peer ....
crypto map mymap 10 match address crypto
crypto map mymap set transform-set ....
08-11-2003 08:26 AM
How is this done between routers? I have to NAT 4 of my inside addresses to global outside addresses and then send out a tunnel to a vendor. This will take place on a router that I currently have a tunnel to another location.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide