Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
474
Views
0
Helpful
4
Replies

VPN with NAT

karangupta
Level 1
Level 1

‎11-10-2005 06:53 PM - edited ‎02-21-2020 02:05 PM

We have a VPN setup on PIX 505. Our internal IP address scheme is 10.10.0.0/22. We're connecting over VPN to one of our customers that already has 10.10.0.0 on their network. They asked us to perform NAT over VPN so that our outbound traffic are seen coming from 10.191.0.37 on their end. There will be inbound traffic coming to us which we'll need to statically point to one specific machine internally. The latter is not a concern as much as getting the VPN setup with NAT. Is it at all possible? Can someone point us in the right direction?

Labels:
0 Helpful
4 Replies 4

jackko
Level 7
Level 7

‎11-10-2005 07:58 PM

a two way nat is required, i.e. both sites need to nat to another subnet, not only your site.

e.g.

10.10.0.0 (customer site) <--> rt/pix <--> www <--> pix <--> 10.10.0.0 (your site)

imagine nat only performs from your site. the customer will then send traffic destined for 10.191.0.x. now, how about your side? without nat from the customer site, host from your site will attempt to send packet back to the customer site by using 10.10.0.0 addresses. because it's the same as your site net scheme, host from your site will try to send the traffic directly rather than send it to the pix.

0 Helpful

jackko
Level 7
Level 7

‎11-10-2005 07:58 PM

a two way nat is required, i.e. both sites need to nat to another subnet, not only your site.

e.g.

10.10.0.0 (customer site) <--> rt/pix <--> www <--> pix <--> 10.10.0.0 (your site)

imagine nat only performs from your site. the customer will then send traffic destined for 10.191.0.x. now, how about your side? without nat from the customer site, host from your site will attempt to send packet back to the customer site by using 10.10.0.0 addresses. because it's the same as your site net scheme, host from your site will try to send the traffic directly rather than send it to the pix.

0 Helpful

karangupta
Level 1
Level 1
In response to jackko

‎11-10-2005 09:39 PM

Thanks for the feedback Jackko -

Actually a clarification, the customer side has two internal networks 192.168.2.0/24 & 10.10.0.0/18.

We only exchange traffic with the customers 192.168.2.x network & in normal circumstanes setting up a VPN should not have been a problem.

Since the customer has a gateway that routes both 192.168.2.x and 10.10.x.x networks he wants us to NAT are 10.10.x.x to 10.191.0.x. Does it need me to setup a secondary IP address on my PIX? I dont think PIX supports that!

Any input will be appreciated.

0 Helpful

jackko
Level 7
Level 7
In response to karangupta

‎11-10-2005 09:50 PM

yes, pix doesn't support secondary ip. i guess a router needs to be deployed behind the pix, which performs another nat.

0 Helpful
Customers Also Viewed These Support Documents