Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix NAT before IPSec?

I need to setup a LAN to LAN tunnel between my Pix515e 6.3(4) and an unknown remote Cisco device. The network admin at our parent company in France will be setting up their end, which is the unknown device.

Currently the PIX performs NAT between our private internal addresses to our Public external address.

For this IPSec tunnel, I need our PIX to NAT one private /24 subnet to another private /24 subnet before IPSec.

For example,

If I have an internal subnet 192.168.0.x. When traffic needs to go to France (10.40.1.x) via an IPSec tunnel, I want our Pix to NAT 192.168.0.x to 10.40.2.x prior to sending it through IPSec.

A) Is this possible?

B) What would my IPSEC ACL Look like for interesting traffic? Would it be 10.40.2.x 10.40.1.x?

We are trying to work around an overlapping subnet issue. The France side already has an IPSec tunnel to a location that overlaps with us.

I thought I read somewhere that IPSec happens before NAT which would indicate the ACL would need to be 192.168.0.x to 10.40.1.x. This might be an issue on the France side is they already have an ACL t0 192.168.0.x.

I sure hope this makes sense.

Denny

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Pix NAT before IPSec?

Denny

Policy NAT bit first

access-list PNAT permit ip 192.168.0.0 255.255.255.0 10.40.1.0 255.255.255.0

nat (inside) 3 access-list PNAT

global (outside) 3 10.40.2.1-10.40.2.254 netmask 255.255.255.0

The above will NAT your LAN ip addresses to 10.40.2.x only when the traffic destination is 10.40.1.x. I used 3 as the nat and global id - choose one not in use on your firewall.

Your crypto map access-list for interesting traffic should be

access-list VPNTRAFFIC permit ip 10.40.2.0 255.255.255.0 10.40.1.0 255.255.255.0

HTH

Jon

2 REPLIES
Hall of Fame Super Blue

Re: Pix NAT before IPSec?

Denny

Policy NAT bit first

access-list PNAT permit ip 192.168.0.0 255.255.255.0 10.40.1.0 255.255.255.0

nat (inside) 3 access-list PNAT

global (outside) 3 10.40.2.1-10.40.2.254 netmask 255.255.255.0

The above will NAT your LAN ip addresses to 10.40.2.x only when the traffic destination is 10.40.1.x. I used 3 as the nat and global id - choose one not in use on your firewall.

Your crypto map access-list for interesting traffic should be

access-list VPNTRAFFIC permit ip 10.40.2.0 255.255.255.0 10.40.1.0 255.255.255.0

HTH

Jon

New Member

Re: Pix NAT before IPSec?

That is exactly what I was looking for.

Thank you,

Denny.

561
Views
0
Helpful
2
Replies
CreatePlease to create content