Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX L2L VPN nat issue

Maybe I'm being thick about this. I need to send traffic through a L2L IPSEC tunnel to a remote office location. My issue is this: I need to send a private subnet (10.5.1.0/24) through my L2L tunnel and then NAT that subnet to a public IP. I'm sure I need to use a static because my traffic is terminating on my outside interface at the remote site. I just can't seem to get my thinking straight on this one. Any ideas?

Thanks,

Chris

5 REPLIES
Hall of Fame Super Blue

Re: PIX L2L VPN nat issue

Hi Chris

Just to clarify. Do you want to NAT the traffic to a public IP address before it goes down the tunnel or after it has got to the remote end. if at the remote end do you want it natted before it goes through the remote end firewall to the internal LAN.

Jon

Community Member

Re: PIX L2L VPN nat issue

I need to NAT the private traffic after it comes out of the IPSEC tunnel at my remote site. I'll then route it to an internal (higher security level) interface. I was thinking I could take that subnet and just NAT it to the address of the interface I'd send it out, but I thought your source IP address had to match for you to do policy NAT static statements. Am I missing something? I have to believe I'm making this more difficult than it has to be...

Hall of Fame Super Blue

Re: PIX L2L VPN nat issue

Chris

nat (outside) 1 10.5.1.0 255.255.255.0 outside

global (inside) 1 interface

Does this sound right. I get the feeling i'm still not fully understanding your situation but the above would NAT all your 10.5.1.x address to the IP address of the inside interface after being decrypted at the remote end.

Jon

Community Member

Re: PIX L2L VPN nat issue

Can you reverse the NAT and Global statements like that on the interfaces? I thought you had to use a static statement to go from a lower security level to a higher security level. I haven't seen any examples of that on Cisco or anywhere else. If I'm able to do that, then that's exactly what I'm looking for. I need to PAT that private subnet to a public IP to route it to a partner network as they don't permit private IPs to be routed across their network. Will I still need to have statics involved or will the PIX know it needs to do reverse (outside?) NAT?

Thanks,

Chris

Hall of Fame Super Blue

Re: PIX L2L VPN nat issue

Chris

We are talking pix/asa here aren't we ? And we are tlakin gbout Natting your source IP addresses right ?

If so, yes absolutely you can do this as i have done it many times in production environments.

No you won't need statics. You do generally need a static to go from lower to higher but remember that is for the destination IP.

Your'e not concerned with the destination IP addresses, you are only concerned with natting the source IP addresses.

Edit - just make sure on your NAT statement that it end with "outside" as in the above example. This is how the pix knows to nat in that direction in effect.

Jon

132
Views
0
Helpful
5
Replies
CreatePlease to create content