Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using VPN IP for Static NAT?

Hi,

Is it possible to use the VPN IP Address on the PIX (the outside interface IP) for Static NAT purposes also?

Let's say i want to host my server 10.1.1.1/24 from internal to external (not using DMZ for this example).

####################

ip address outside 202.1.1.1 255.255.255.248

ip address inside 10.1.1.0 255.255.255.0

global (outside) 1 202.1.1.2

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 202.1.1.1 www 10.1.1.1 www netmask 255.255.255.255

access-list acl_out permit any host 202.1.1.1 eq www

access-group acl_out in interface outside

###############

I'm doing this for my client, I'm worried that if I do like this, I might block VPN traffic. Is there anyway to do this as i'm trying to conserve IP.

(sysopt connection permit-ipsec takes precedence over access-list? If i define an access-list only to permit http traffic to the IP, will it block IKE establishment all together?)

2 REPLIES
Cisco Employee

Re: Using VPN IP for Static NAT?

That'll be fine, you can define the outside ACL to only allow port 80, IPsec packets will still come in and be decrypted and sent internally correctly.

Gold

Re: Using VPN IP for Static NAT?

to further conserve public ip, you may even put 202.1.1.1 as the global pat address and it will not affect the vpn and port forwarding.

global (outside) 1 202.1.1.1

each pat address will provide 64,000 connections, thus you may conserve another ip if your client has a small number of user.

267
Views
0
Helpful
2
Replies