Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX-to-PIX VPN/NAT nightmare

Here's my problem: I have a remote user that connects to my network with a PIX-to-PIX IPSec VPN (using a simple pre-shared key). This solution works great as long as he only needs to access resources on my network. If he needs to get to the corporate WAN through the router on my network (which I have no control over), the router denies his traffic because it will only route from source addresses on my network. Is there some way in the VPN setup that I can have the remote user's PIX (which also uses NAT to access the internet) NAT traffic to my network? I have looked at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/sit2site.htm#xtocid20 and it doesn't seem to shed much light on exactly my scenario. Perhaps there's a way to bind a Global pool to a an IPSec tunnel?

Here's a brief rundown of my network:

Remote user's net 192.168.rrr.0/24

My network: mmm.165.54.0/23

Corp. Lan: mmm.165.0.0

TIA for any help.

5 REPLIES
New Member

Re: PIX-to-PIX VPN/NAT nightmare

Because your remote user has to come through your VPN first, he can't make any NAT changes, it has to be done at your end. You could add another router on your LAN and force his traffic via that (and NAT it) but thats not very efficient. How about allocating him a small portion of your subnet for his private LAN. You can have a specific route for him (although I guess this needs placing on the router you don't control).

Silver

Re: PIX-to-PIX VPN/NAT nightmare

A PIX won't allow traffic out the same interface it came in - a remote user, making a vpn connection to the pix's outside interface, cannot send data back out the outside interface to a IOS router to the corp. network.

He would either need to make a vpn connection to corp. network, or use terminal services/ pc anywhere to a pc on your network via the vpn, from which he could access corp. net

New Member

Re: PIX-to-PIX VPN/NAT nightmare

The corp. network is reachable by the inside network. I just need some way to make traffic coming in from the VPN look like regular LAN traffic to the corporate router so it will pass it properly.

New Member

Re: PIX-to-PIX VPN/NAT nightmare

Is there any way I can create a "static" mapping? I've tried the following:

static (outside,inside) 192.168.rrr.100 mm.165.54.160

static (inside,outside) mm.165.54.160 192.168.rrr.100

global (inside) 1 mm.165.54.160

Wthe PIX likes all those commands, I still get a (no xlate) error if I try to move traffic from my LAN to the remote LAN by referencing it's "seemingly local" address on my net.

I guess want I'm really looking for is a way to masquerade my remote net's traffic to appear as though it came from addresses on my local net, when viewed from other devices on the local net.

New Member

Re: PIX-to-PIX VPN/NAT nightmare

It sounds like the easy fix is to talk to the person that manages the router on your network and determine if your remote VPN user's network will fit into the bigger IP scheme. If so, maybe he will allow that network to enter the WAN from your location.

105
Views
0
Helpful
5
Replies