Re: The Nat sat on the....pix but how do I stop it doing so

pmsbony · ‎11-21-2003

A bit of a novice at all this. I have spent a few days trying to get a vpn setup to a remote site.

We have pix 515 at both ends. I need VPN connection to a server at remote end.

I setup the config at the remote end but the vpn connection failed.

I have tracked the issue down to the fact that at this end we are using NAT for connections from the inside network to the outside world.

So I assume I need to add an access-list nonat and a corresponding

nat (inside) 0 access-list nonat command to stop the nat for connections made to the remote site?

my question is what syntax would access-list take. My assumption is that it would be

access-list nonat permit ip x.y.z.0 255.255.255.9 a.b.c.1 255.255.255.255

where x.y.z.0 is IP adress range we are using internally and a.b.c.32 is the ip address of the interface on the PIX I want to connect to.

I have configs and debugs if people want to see them, but I am trying to get people pointing me in the right direction rather than tell me word for word what I need to do as I learn more that way.

thanks in advance

Pete

kagodfrey · ‎11-21-2003

You are right in saying you need:

nat (inside) 0 access-list nonat

But your access list should take the form:

access-list nonat permit ip LOCALLAN LOCALMASK REMOTELAN REMOTEMASK

rather than the inside address of the remote pix. This would allow access from one lan to the other. You could, i believe, use the "host" keyword to limit access to one specific remote server, i.e.

access-list nonat permit ip LOCALLAN LOCALMASK host REMOTESERVERIP

HTH