Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
5
Helpful
2
Replies

Outbound PAT over IPSec Tunnel

Go to solution
ArneLovius
Level 1
Level 1

‎07-26-2007 12:10 PM - edited ‎02-21-2020 03:10 PM

Hi,

Situation is office with private IP range with tunnel to 3rd party that already uses the same private range, but not with any of the hosts that we need to connect to. All traffic going from the office to the 3rd party needs to be secured.

We therefore want to setup an IPSec tunnel between the two sites (easy) and use PAT on the office PIX (6.3(5)) to make all traffic from the office to appear from a different private single address.

We've tried to do with with PDM, but it insists on having either not NAT (with an exclusion rule), or static NAT, but doesn't seem to allow PAT.

I've attached a sanitised copy of the office config. Any standard PIX parts have been deleted for brevity

I'd appreciate any constructive pointers on where I'm going wrong.

Cheers

Labels:
Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sathishd-aus
Level 1
Level 1

‎07-27-2007 01:12 AM

Hi,

The PIX/ASA will do the NAT translation on the below steps. first it will check whether any no nat ( no-nat control) is configured, then it will check the static nat translation and finally it will check the PAT translation.

In your configuration their is a ( NAT 0) command stating not to translate any ip address from the range 192.168.0.0 to the remote ip address, so the PIX won't do the translation and the packet is passed to the destination.

Remove the ( NAT 0) command and change the outside_cryptomap_10 access-list with the patted ip to the remote ip address because this access-list is responsible for interesting traffic that needs to be encrypted.

pls check and rever back.

View solution in original post

2 Replies 2

Go to solution
sathishd-aus
Level 1
Level 1

‎07-27-2007 01:12 AM

Hi,

The PIX/ASA will do the NAT translation on the below steps. first it will check whether any no nat ( no-nat control) is configured, then it will check the static nat translation and finally it will check the PAT translation.

In your configuration their is a ( NAT 0) command stating not to translate any ip address from the range 192.168.0.0 to the remote ip address, so the PIX won't do the translation and the packet is passed to the destination.

Remove the ( NAT 0) command and change the outside_cryptomap_10 access-list with the patted ip to the remote ip address because this access-list is responsible for interesting traffic that needs to be encrypted.

pls check and rever back.

Go to solution
ArneLovius
Level 1
Level 1
In response to sathishd-aus

‎07-27-2007 07:48 AM

Hi,

Many thanks for your explanation, I manually removed the NAT 0 and modified the outside_cryptomap and it now works perfectly.

I was a little surprised that PDM can't do this type of configuration, but thanks to you I now have a much better understanding.

Cheers

Arne

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents