Pix 515 6.3(3) has a pix to pix VPN, then, it has some vpn clients, all they are working fine, however, I need an aditional VPN to a VPN concentrator, and I have a problem, for security policies the partner which I need to connect does not permit my internal ip address, then I need to make NAT in order to get access to its network.
my internal is address 10.0.0.0, but need to make NAT to 172.16.1.0, But i do not know how to establish that nat and the access-lists.
I am having a similar issue. I have a Cisco PIX 501 that already has several site-to-site connections established.
I need to establish an additional VPN to a device that already has a connecton that uses the IP addresses on my LAN interface. Is there a way to NAT my LAN so I can establish the VPN without putting another piece of hardware in place?
Let assume the remote partner network is 192.168.5.0 255.255.255.0
Also lets assume you only want to NAT your 10.0.0.0 addresses to 172.16.1.0 when you access your partner network.
access-list pnat permit ip 10.0.0.0 255.255.255.0 192.168.5.0 255.255.255.0
nat (inside) 2 access-list pnat
global (outside) 2 172.16.1.0 255.255.255.0
The above makes sure your 10.0.0.0 addresses are only natted to 172.16.1.0 when going to the partner network.
Now you setup your pix to VPN concentrator VPN in the same way as you have setup your pix to pix VPN. The major difference is on the crypto map access-lsit on your pix. You must refer to the Natted addresses ie.
access-list vpntraffic permit ip 172.16.1.0 255.255.255.0 192.168.5.0 255.255.255.0
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...