I have configured an ipsec tunnel between two sites, as the one ipsec endpoint I have a PIX and at the other an IOS router with VPN and firewall.
The IPSec tunnel is used between each site but I also need external access to devices behind the repective firewalls FROM the internet.
Devices behind the PIX:
The device has a static natt address used for internet access. I have a firewall rule that allows certain internet origionated traffic through to my hosts natted address. I can also communicate to and from my device through the ipsec tunnel. This traffic is defined as 'NAT (inside) 0' not NATing the traffic, just passing the traffic through from one private network to the other via the tunnel.
Devices behind the IOS router.
Here I find that if I give my host an static nat address, I can accesss the host from the internet and the internet from the host. but i cannot access the other site via the VPN tunnel. it appears that the host address is being NATted before it tries the tunnel and fails because the access-list defining interesting traffic for encryption uses standard private network ranges i.e.
access-list 102 permit ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255
My question is how do I avoid NATting the hosts address behind the IOS router when the traffic is destined for the ipsec tunnel,
Or what is the eqivilant IOS command of NAT (inside) 0
The problem lies with the static NAT process occuring no matter what the crypto acls define. To get around this you can use policy routing to identify the traffic from the devices with static NATs which need to traverse the VPN and redirect it via a loopback interface that is not participating in the NAT process. This has worked for me in the past. The link below provides good guidelines for implementing this:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...