Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
792
Views
0
Helpful
4
Replies

Configuring PIX for multiple Global (outside) NAT pools

syves
Level 1
Level 1

‎03-08-2004 09:37 PM

Dear all

I'm trying to configure a IPSEC VPN with one of my third party supplier, he does not accept my private IP address to connect to is network so I need to NAT the traffic from my internal network going to his network. How can I configure a nat for ny internal network to use the outside interface ip address when going to the web and use a specific IP address when going to my third party network via the IPSEC VPN.

Regards

Yves

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎03-08-2004 10:09 PM

You can do this with policy-NAT'ing in 6.3(3) code, see here for details:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113601

Basically what you'd want (assuming 10.1.1.0 is your inside network, and 10.2.2.0 is your suppliers network):

For your Internet connectivity

global (outside) 1 interface

nat (inside) 1 10.1.1.0 255.255.255.0

and for your L2L tunnel traffic PAT'ing it to say, 64.64.1.1:

global (outside) 50 64.64.1.1

nat (inside) 50 access-list l2ltunnel

access-list l2ltunnel permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

Policy NAT takes precedence over normal NAT so if the packet is due to go over the L2L tunnel it will be PAT'd to 64.64.1.1.

Keep in mind that NAT also occurs BEFORE encryption, so now all the packets you want to encrypt will be from 64.64.1.1, so your encryption ACL will have to change to be:

access-list crypto permit ip host 64.64.1.1 10.2.2.0 255.255.255.0

crypto map 10 match address crypto

0 Helpful

syves
Level 1
Level 1
In response to gfullage

‎03-08-2004 10:31 PM

Thank you for your reply.

This is what I thought we should configure from my research, but I'm using PIX 6.3(3) and try to configure using PDM 3.0(1). I enter similar CLI command and when I try to update the pdm config it comes up with an error and drop me to monitor mode. Any suggestion how I can use the PDM or should I forget about it?

Regards

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to syves

‎03-09-2004 05:29 PM

PDM doesn't currently support Policy-based NAT, it was a special release in 6.3(2) and PDM hasn't quite caught up as yet. For the moment you'll just have to forget using PDM until the next release which should cover it, sorry about that.

0 Helpful

syves
Level 1
Level 1
In response to gfullage

‎03-09-2004 07:23 PM

Glenn

Thanks for that.

I thought so. Would I be better to reduce the PDM version so I can still use it for most of the configs but not worry for the VPN and NAT config.

I have another PIX running 6.1 with PDM 1.0. The PDM does not stop working it just let me know which of the cli config it does not understand.

On a different subject.

My 6.1 firewall is using conduits instead of ACL.

Can the conduit to acl conversion tool be 100% trusted.

I will like to upgrade my 6.1 pix to the latest version but I have over 350 conduit rules to convert and I'am worried that the conversion tool will not work 100%

Regards

Yves

0 Helpful
Customers Also Viewed These Support Documents