cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
270
Views
0
Helpful
6
Replies

Q: PIX Outbound NAT on Site-to-Site VPN connection ?

jeff_green
Level 1
Level 1

Hi,

I have a PIX515e running 6.3(1) / PDM 3.0

configured as follows

PAT for general Internet connection

VPN for remote access

Site-to-Site VPN

I've been asked to add an additional Site to Site

VPN link but with outbound NAT.

Looking through the Cisco docs the closest example

config is a Site-to-Site VPN with overlapping private

IPs - but this seems to require some combo of a global IP and NAT in my ISPs router (!!).

Is this possible using a PIX (I could do it using

"normal" router + IOS) ?

Many Thanks,

6 Replies 6

gfullage
Cisco Employee
Cisco Employee

Can you provide some more detail on exactly it is you want to do? Just saying "VPN link but with outbound NAT" is a little confusing.

Thanks.

Hi,

I'm looking to hide the internal IP addresses behind a mutually acceptable IP range. I want to

use something from rfc1918 (private IPs) as a

transit for the site-to-site link.

If I were using IOS, I'd use ip pool, access-lists and nat statements to map out/inbound connections

to the transit ip pool.

Given that I've already using the outside i/f

for PAT (internet access) and a remote access VPN

is this possible ?

Many Thanks,

OK, so you want all your internal hosts to appear as some pre-defined IP address when it goes through the tunnel to the remote network.

Assuming your local network is 10.1.1.0/24, the remote network is 10.2.2.0/24 and the IP address you want the 10.1.1.0/24 network to appear as is 10.5.5.5, you should be able to do the following:

> access-list 100 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

> nat (inside) 60 access-list 100

> global (outside) 60 10.5.5.5

> access-list 160 permit ip host 10.5.5.5 10.2.2.0 255.255.255.0

> nat (inside) 0 access-list 160

> crypto map L2L 10 set peer x.x.x.x

> crypto map L2L 10 match address 160

> crypto map L2L ......

Since NAT happens BEFORE encryption, you can NAT the L2L tunnel traffic first, then define your crypto access-list to specify the already-NAT'd traffic pattern.

Also, "NAT access-list" will be done before "nat x.x.x.x" so this should take precedence over your standard nat/global pair that you'e defined for the Internet access.

What I understand from the above is that I should be able to nat (PAT) a whole internal subnet to a valid IP address & set a site-to-site VPN using valid IP addresses.

Do I need to still specify the nat (inside) 0 command?Since I am already address translating a private iP to a public IP.

Thanks

Hi,

Well I eventually got around to trying this method on my PIX (sorry it's taken so long).

The access-list 100 .... is OK

The global (outside) 60 a.b.c.d is OK

The nat (inside)60 access-list 100 a big no-no

6.3(1) does not allow this, Command Reference manual

states you can only do

nat (if_name) 0 access-list acl_id

which exempts traffic that matches acl_id from NAT

processing - the opposite of what's required.

Any other suggestions please ?

Regards,

Using

nat(if_name) 60 network networkmask 0 0

should work

Example: nat(inside) 60 10.10.0.0 255.255.0.0 0 0

if you need more networks translated to the same global address just add a similar statement for that network

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: