Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX - NAT- 1750? Can it Be Done.

Hello Forum,

Can I place a 1750 Behind a PIX 520 and have the PIX NAT a Public IP Address on the Outside Interface (Internet) to a Private IP Address on the pix/inf2 and have a IPSec Tunnel come up and pass traffic? My guess is that it won't work.

If Not, what would be the recommended design?

Best Regards,

Jerry Roy

jroy@axcelerant.com

2 REPLIES
New Member

Re: PIX - NAT- 1750? Can it Be Done.

Yes, that should work fine. Not sure what your concerns are with the 1750 in the topology. Is it just routing for your LAN?

New Member

Re: PIX - NAT- 1750? Can it Be Done.

The Answer to your question depends on where the crypto endpoint is.

If the 1750 is an endpoint of the crypto tunnel (and the PIX doing NAT is just firewalling)

then IPSec in certain fashions will work.

IKE is UDP 500 and is NAT-friendly - no problem.

AH is IP protocol 51 - and authenticates most of the IP header. This is a problem. Not NAT

friendly

ESP (protocol 50) provides both authentication and encryption functions. In tunnel mode, you'll

have no problems either (the IP address fields in the header are considered mutable)

If the PIX is the endpoint, then there is no problem with anything because the PIX order of

operations is such that NAT occurs before IPSec on the egress interface.

-Rakesh

131
Views
0
Helpful
2
Replies
CreatePlease to create content