I need to NAT the private traffic after it comes out of the IPSEC tunnel at my remote site. I'll then route it to an internal (higher security level) interface. I was thinking I could take that subnet and just NAT it to the address of the interface I'd send it out, but I thought your source IP address had to match for you to do policy NAT static statements. Am I missing something? I have to believe I'm making this more difficult than it has to be...

Chris

nat (outside) 1 10.5.1.0 255.255.255.0 outside

global (inside) 1 interface

Does this sound right. I get the feeling i'm still not fully understanding your situation but the above would NAT all your 10.5.1.x address to the IP address of the inside interface after being decrypted at the remote end.

Jon

Can you reverse the NAT and Global statements like that on the interfaces? I thought you had to use a static statement to go from a lower security level to a higher security level. I haven't seen any examples of that on Cisco or anywhere else. If I'm able to do that, then that's exactly what I'm looking for. I need to PAT that private subnet to a public IP to route it to a partner network as they don't permit private IPs to be routed across their network. Will I still need to have statics involved or will the PIX know it needs to do reverse (outside?) NAT?

Thanks,

Chris

Chris

We are talking pix/asa here aren't we ? And we are tlakin gbout Natting your source IP addresses right ?

If so, yes absolutely you can do this as i have done it many times in production environments.

No you won't need statics. You do generally need a static to go from lower to higher but remember that is for the destination IP.

Your'e not concerned with the destination IP addresses, you are only concerned with natting the source IP addresses.

Edit - just make sure on your NAT statement that it end with "outside" as in the above example. This is how the pix knows to nat in that direction in effect.

Jon