07-15-2003 01:46 AM - edited 02-21-2020 12:39 PM
Hi,
I have a PIX515e running 6.3(1) / PDM 3.0
configured as follows
PAT for general Internet connection
VPN for remote access
Site-to-Site VPN
I've been asked to add an additional Site to Site
VPN link but with outbound NAT.
Looking through the Cisco docs the closest example
config is a Site-to-Site VPN with overlapping private
IPs - but this seems to require some combo of a global IP and NAT in my ISPs router (!!).
Is this possible using a PIX (I could do it using
"normal" router + IOS) ?
Many Thanks,
07-16-2003 03:49 PM
Can you provide some more detail on exactly it is you want to do? Just saying "VPN link but with outbound NAT" is a little confusing.
Thanks.
07-17-2003 02:16 PM
Hi,
I'm looking to hide the internal IP addresses behind a mutually acceptable IP range. I want to
use something from rfc1918 (private IPs) as a
transit for the site-to-site link.
If I were using IOS, I'd use ip pool, access-lists and nat statements to map out/inbound connections
to the transit ip pool.
Given that I've already using the outside i/f
for PAT (internet access) and a remote access VPN
is this possible ?
Many Thanks,
07-17-2003 03:48 PM
OK, so you want all your internal hosts to appear as some pre-defined IP address when it goes through the tunnel to the remote network.
Assuming your local network is 10.1.1.0/24, the remote network is 10.2.2.0/24 and the IP address you want the 10.1.1.0/24 network to appear as is 10.5.5.5, you should be able to do the following:
> access-list 100 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
> nat (inside) 60 access-list 100
> global (outside) 60 10.5.5.5
> access-list 160 permit ip host 10.5.5.5 10.2.2.0 255.255.255.0
> nat (inside) 0 access-list 160
> crypto map L2L 10 set peer x.x.x.x
> crypto map L2L 10 match address 160
> crypto map L2L ......
Since NAT happens BEFORE encryption, you can NAT the L2L tunnel traffic first, then define your crypto access-list to specify the already-NAT'd traffic pattern.
Also, "NAT access-list" will be done before "nat x.x.x.x" so this should take precedence over your standard nat/global pair that you'e defined for the Internet access.
07-25-2003 04:14 AM
What I understand from the above is that I should be able to nat (PAT) a whole internal subnet to a valid IP address & set a site-to-site VPN using valid IP addresses.
Do I need to still specify the nat (inside) 0 command?Since I am already address translating a private iP to a public IP.
Thanks
08-20-2003 09:24 AM
Hi,
Well I eventually got around to trying this method on my PIX (sorry it's taken so long).
The access-list 100 .... is OK
The global (outside) 60 a.b.c.d is OK
The nat (inside)60 access-list 100 a big no-no
6.3(1) does not allow this, Command Reference manual
states you can only do
nat (if_name) 0 access-list acl_id
which exempts traffic that matches acl_id from NAT
processing - the opposite of what's required.
Any other suggestions please ?
Regards,
09-18-2003 07:16 AM
Using
nat(if_name) 60 network networkmask 0 0
should work
Example: nat(inside) 60 10.10.0.0 255.255.0.0 0 0
if you need more networks translated to the same global address just add a similar statement for that network
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: