We have a PIX 525 FW is IOS Ver. 6.3. We are using a 172.x.x.x network in our LAN. We need to establish a VPN tunnel from our firewall to one of our clients firewall. Our client is ready to allow access to his network only if our private ip address are natted to a public ip range. I would like to know how to configure the NAT and IPSec in this kind of scenario. We have done similar configurations using Checkpoint and it works well there. I tried a couple of configurations for NATting as follows over the IPSec tunnel.
access-list acl_outbound permit ip 172.16.1.0 255.255.255.0 10.100.25.0 255.255.255.0
nat (inside) 1 access-list acl_outbound
global (outside) 1 18.104.22.168
In the above configuration 172.16.x.x is my local network and 10.100.x.x is my clients network. When the access-list matches i am natting it to the public ip range. I am specifying the public ip range in my VPN interesting traffic. After i issue this command and save the configurations and when i try to open the PDM i get a message saying "Policy Based NAT is not supported" and the PDM doesnt allow me to do any changes through PDM.
Can somebody let me know how to configure a PIX in this kind of scenario.
You're configuring the PIX correctly, assuming your crypto ACL then looks like the following:
access-list crypto permit ip host 22.214.171.124 10.100.25.0 255.255.255.0
Keep in mind that NAt happens BEFORE IPSec, so it is fine to NAt the traffic first, then use IPSec to define the already-NAT'd traffic.
The issue you're having with PDM is simply that PDM does not support any policy-NAt statements, so PDM will go into Monitor mode if you have this config in place. There is no way around it unfortunately.
As per my understanding you need to set up the accesslist for intresting traffic in such a way that it specifiy the sourch as a public IP pool and destination as a 10.100.25.0/24. And also just try with following command.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :