PIX Policy NAT

mcaissie · ‎08-08-2003

Is there anyone who worked with the Policy NAT on PIX 6.3 (2) ?

I have a scenario where a central PIX vpn a remote site PIX .

I want to translate Remote site inside private addresses because they

conflict with another remote site.

So i want the Remote PIX to translate to a private pool for establishing the

vpn , and translate to the public outside interface address for internet

access.

172.19.0.0 CentralPIX ----- 206.x.x.58 RemotePIX 10.1.1.0

10.2.2.0 xlate 10.1.1.0

Remote PIX config

access-list nonatvpn permit ip 10.1.1.0 255.255.255.0 172.19.0.0

255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonatvpn

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 10.2.2.0 access-list nonatvpn 0 0

Test 1 - ping internet

replies

PAT Global 206.x.x.58(1) Local 10.1.1.190 ICMP id 512

Test 2 - ping vpn ( while ping internet is still running )

replies but ping on internet stop responding

Global 10.2.2.190 Local 10.1.1.190

So it works but not simultaneously . Is this the normal behavior of that

functionnality or did i miss something. I would like to have both access

at the same time.

thanks

jsivulka · ‎08-14-2003

The problem of overlapping address space can be solved using enhanced NAT/ bi-directional nat, which allows to to apply the NAT and global commands to the outside and inside interfaces respectively. The earlier restriction wrt placement of these commands are not valid any more. You could also see a related document at http://www.cisco.com/warp/public/707/vpn_pix_private.html.