Public and Private IPs on the Same Interface using NAT Exemption/Policy NAT
I'm looking for some feedback on whether my thoughts on the setup below will work.
Equipment: PIX 515E 6.2(2)
The inside interface of the PIX will host 3 IP address blocks - 2 public /24 blocks and 1 private /16 block. (All IPs have been replaced with dummy blocks.)
Traffic from the 2 public /24 blocks should pass through the firewall without address translation.
The two public blocks will need to be able to receive connections initiated from the Internet.
The public blocks will need to be able to send/receive traffic over a static VPN tunnel to our corporate office without being subject to address translation
Outbound traffic from the private /16 block should be subject to PAT before passing through the firewall.
The private /16 block will not be receiving inbound traffic from the Internet (aside from responses to outbound connections initiated from within the private block).
However, the private block will also need to be able to send/receive traffic over a static VPN tunnel to our corporate office *without* being subject to address translation (i.e. hosts on our corporate network will need to be able to initiate connections to the private block, and vice versa).
The inside interface of the PIX will be connected to a Catalyst 3xxx series layer 3 switch, which will handle all internal routing (so the PIX will never be routing traffic back on the interface it was received).
My ideas on how to set this up are as follows:
* Use NAT exemption to exempt the public blocks from address translation. This will allow inbound and outbound connections through the firewall.
* Use NAT exemption to exempt the private block from address translation when connecting to our corporate office over the VPN tunnel.
* Use policy NAT w/ PAT to translate the private block when connecting to all other hosts.
I've translated these thoughts into the configuration excerpt below.
Because NAT exemption is processed before policy NAT when evaluating NAT rules, my understanding is that this should allow the public IP blocks to handle inbound/outbound traffic without translation, while subjecting the private block to translation (except when handling inbound/outbound connections to/from our corporate office network).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...