Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring PIX for multiple Global (outside) NAT pools

Dear all

I'm trying to configure a IPSEC VPN with one of my third party supplier, he does not accept my private IP address to connect to is network so I need to NAT the traffic from my internal network going to his network. How can I configure a nat for ny internal network to use the outside interface ip address when going to the web and use a specific IP address when going to my third party network via the IPSEC VPN.

Regards

Yves

4 REPLIES
Cisco Employee

Re: Configuring PIX for multiple Global (outside) NAT pools

You can do this with policy-NAT'ing in 6.3(3) code, see here for details:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113601

Basically what you'd want (assuming 10.1.1.0 is your inside network, and 10.2.2.0 is your suppliers network):

For your Internet connectivity

global (outside) 1 interface

nat (inside) 1 10.1.1.0 255.255.255.0

and for your L2L tunnel traffic PAT'ing it to say, 64.64.1.1:

global (outside) 50 64.64.1.1

nat (inside) 50 access-list l2ltunnel

access-list l2ltunnel permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

Policy NAT takes precedence over normal NAT so if the packet is due to go over the L2L tunnel it will be PAT'd to 64.64.1.1.

Keep in mind that NAT also occurs BEFORE encryption, so now all the packets you want to encrypt will be from 64.64.1.1, so your encryption ACL will have to change to be:

access-list crypto permit ip host 64.64.1.1 10.2.2.0 255.255.255.0

crypto map 10 match address crypto

New Member

Re: Configuring PIX for multiple Global (outside) NAT pools

Thank you for your reply.

This is what I thought we should configure from my research, but I'm using PIX 6.3(3) and try to configure using PDM 3.0(1). I enter similar CLI command and when I try to update the pdm config it comes up with an error and drop me to monitor mode. Any suggestion how I can use the PDM or should I forget about it?

Regards

Cisco Employee

Re: Configuring PIX for multiple Global (outside) NAT pools

PDM doesn't currently support Policy-based NAT, it was a special release in 6.3(2) and PDM hasn't quite caught up as yet. For the moment you'll just have to forget using PDM until the next release which should cover it, sorry about that.

New Member

Re: Configuring PIX for multiple Global (outside) NAT pools

Glenn

Thanks for that.

I thought so. Would I be better to reduce the PDM version so I can still use it for most of the configs but not worry for the VPN and NAT config.

I have another PIX running 6.1 with PDM 1.0. The PDM does not stop working it just let me know which of the cli config it does not understand.

On a different subject.

My 6.1 firewall is using conduits instead of ACL.

Can the conduit to acl conversion tool be 100% trusted.

I will like to upgrade my 6.1 pix to the latest version but I have over 350 conduit rules to convert and I'am worried that the conversion tool will not work 100%

Regards

Yves

319
Views
0
Helpful
4
Replies
CreatePlease login to create content