Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SIte to site VPN with PIX 515E and NAT before IPSec with access-lists

Hi,

I want to establish a VPN tunnel from a PIX to a another IPSec gateway

in the following way:

Local network: 172.16.22.0. This network should be natted to a global

IP, say, 202.125.145.31.

Destination host: 10.253.96.1

Remote Peer: 208.207.82.72

Users from 172.16.22.0 should only be able to access the FTP service

on the destination host. The local network needs to be natted to a

valid IP address because the remote site security policy does not

permit any communication with invalid/private IP addresses.

The IKE policy for the tunnel would be: HMAC-MD5, 3DES

IPSEC SA: ESP-3DES ESP-HMAC-MD5

Would the following config work:

NAT 172.16.22.0 to the global IP 202.125.145.31:

nat (inside) 4 172.16.22.0 255.255.255.0

global (outside) 4 202.125.145.31

Define my interesting traffic:

access-list 115 permit ip host 202.125.145.31 host 10.253.96.1

Control access to the remote host:

access-list 116 permit tcp 172.16.22.0 255.255.255.0 host 10.253.96.1 eq ftp access-list 116 permit tcp 172.16.22.0 255.255.255.0 host 10.253.96.1 eq ftp-data

access-group 116 permit in inside

Define access-list 115 as my interesting traffic:

crypto map map01 2 match address 115

Use ESP-3DES ESP-HMAC-MD5 as my transform-set.

Regards,

Siddhartha

1 REPLY
Cisco Employee

Re: SIte to site VPN with PIX 515E and NAT before IPSec with acc

This would work as far as the VPN connectivity is concerned, but it also means that anyone on the 172.16.22.0 network that simply wants to go to the Internet will also be NAT'd to the 202.125.145.31 address. As long as that is a valid address then you should be OK.

You really need/want to NAT this based on both the source and destination of the traffic, but you can't do this with the PIX. If there's a router on the inside of the PIX you could nat this traffic BEFORE it gets to the PIX based on an access-list, then your PIX config would simply say "send anything from 202.125.145.31 going to the FTP server acorss the tunnel".

92
Views
0
Helpful
1
Replies