Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX Policy NAT

Is there anyone who worked with the Policy NAT on PIX 6.3 (2) ?

I have a scenario where a central PIX vpn a remote site PIX .

I want to translate Remote site inside private addresses because they

conflict with another remote site.

So i want the Remote PIX to translate to a private pool for establishing the

vpn , and translate to the public outside interface address for internet

access.

172.19.0.0 CentralPIX ----- 206.x.x.58 RemotePIX 10.1.1.0

10.2.2.0 xlate 10.1.1.0

Remote PIX config

access-list nonatvpn permit ip 10.1.1.0 255.255.255.0 172.19.0.0

255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonatvpn

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 10.2.2.0 access-list nonatvpn 0 0

Test 1 - ping internet

replies

PAT Global 206.x.x.58(1) Local 10.1.1.190 ICMP id 512

Test 2 - ping vpn ( while ping internet is still running )

replies but ping on internet stop responding

Global 10.2.2.190 Local 10.1.1.190

So it works but not simultaneously . Is this the normal behavior of that

functionnality or did i miss something. I would like to have both access

at the same time.

thanks

1 REPLY
Bronze

Re: PIX Policy NAT

The problem of overlapping address space can be solved using enhanced NAT/ bi-directional nat, which allows to to apply the NAT and global commands to the outside and inside interfaces respectively. The earlier restriction wrt placement of these commands are not valid any more. You could also see a related document at http://www.cisco.com/warp/public/707/vpn_pix_private.html.

92
Views
0
Helpful
1
Replies