03-08-2004 09:37 PM
Dear all
I'm trying to configure a IPSEC VPN with one of my third party supplier, he does not accept my private IP address to connect to is network so I need to NAT the traffic from my internal network going to his network. How can I configure a nat for ny internal network to use the outside interface ip address when going to the web and use a specific IP address when going to my third party network via the IPSEC VPN.
Regards
Yves
03-08-2004 10:09 PM
You can do this with policy-NAT'ing in 6.3(3) code, see here for details:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113601
Basically what you'd want (assuming 10.1.1.0 is your inside network, and 10.2.2.0 is your suppliers network):
For your Internet connectivity
global (outside) 1 interface
nat (inside) 1 10.1.1.0 255.255.255.0
and for your L2L tunnel traffic PAT'ing it to say, 64.64.1.1:
global (outside) 50 64.64.1.1
nat (inside) 50 access-list l2ltunnel
access-list l2ltunnel permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
Policy NAT takes precedence over normal NAT so if the packet is due to go over the L2L tunnel it will be PAT'd to 64.64.1.1.
Keep in mind that NAT also occurs BEFORE encryption, so now all the packets you want to encrypt will be from 64.64.1.1, so your encryption ACL will have to change to be:
access-list crypto permit ip host 64.64.1.1 10.2.2.0 255.255.255.0
crypto map
03-08-2004 10:31 PM
Thank you for your reply.
This is what I thought we should configure from my research, but I'm using PIX 6.3(3) and try to configure using PDM 3.0(1). I enter similar CLI command and when I try to update the pdm config it comes up with an error and drop me to monitor mode. Any suggestion how I can use the PDM or should I forget about it?
Regards
03-09-2004 05:29 PM
PDM doesn't currently support Policy-based NAT, it was a special release in 6.3(2) and PDM hasn't quite caught up as yet. For the moment you'll just have to forget using PDM until the next release which should cover it, sorry about that.
03-09-2004 07:23 PM
Glenn
Thanks for that.
I thought so. Would I be better to reduce the PDM version so I can still use it for most of the configs but not worry for the VPN and NAT config.
I have another PIX running 6.1 with PDM 1.0. The PDM does not stop working it just let me know which of the cli config it does not understand.
On a different subject.
My 6.1 firewall is using conduits instead of ACL.
Can the conduit to acl conversion tool be 100% trusted.
I will like to upgrade my 6.1 pix to the latest version but I have over 350 conduit rules to convert and I'am worried that the conversion tool will not work 100%
Regards
Yves
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide