I have a PIX that has statically translated IPs for servers. For example, say the outside IP of a server is 184.108.40.206 and the inside is 10.1.1.1. I also have an IPSec tunnel with some vendors that can build a tunnel with my PIX for the 10.1.1.0 network.
Is there any way I can build a tunnel with them for 220.127.116.11 IPs? In other words, their requirement is to establish a tunnel for public IPs, which means that they want to have my PIX as a peer, but route anything going to 18.104.22.168 through the tunnel. Sort of like PIX would first strip down the tunnel and then translate the IP addresses.
Would that work? Or do I have to move the VPN functionality to a device in front of PIX?
You can create a tunnel based on the public ip address of your host, so the pix accepts the ipsec traffic and then decrypt it and then translates it back to the inside ip addr of the host. Make sure though that you exclude the PIX outside interface from your crypto acl if the host on the public side is within the same subnet as the PIX outside interface.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...