Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

The Nat sat on the....pix but how do I stop it doing so

A bit of a novice at all this. I have spent a few days trying to get a vpn setup to a remote site.

We have pix 515 at both ends. I need VPN connection to a server at remote end.

I setup the config at the remote end but the vpn connection failed.

I have tracked the issue down to the fact that at this end we are using NAT for connections from the inside network to the outside world.

So I assume I need to add an access-list nonat and a corresponding

nat (inside) 0 access-list nonat command to stop the nat for connections made to the remote site?

my question is what syntax would access-list take. My assumption is that it would be

access-list nonat permit ip x.y.z.0 255.255.255.9 a.b.c.1 255.255.255.255

where x.y.z.0 is IP adress range we are using internally and a.b.c.32 is the ip address of the interface on the PIX I want to connect to.

I have configs and debugs if people want to see them, but I am trying to get people pointing me in the right direction rather than tell me word for word what I need to do as I learn more that way.

thanks in advance

Pete

1 REPLY
New Member

Re: The Nat sat on the....pix but how do I stop it doing so

You are right in saying you need:

nat (inside) 0 access-list nonat

But your access list should take the form:

access-list nonat permit ip LOCALLAN LOCALMASK REMOTELAN REMOTEMASK

rather than the inside address of the remote pix. This would allow access from one lan to the other. You could, i believe, use the "host" keyword to limit access to one specific remote server, i.e.

access-list nonat permit ip LOCALLAN LOCALMASK host REMOTESERVERIP

HTH

86
Views
0
Helpful
1
Replies
CreatePlease login to create content