Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PAT over IPSEC VPN (Pix 501)

Hi,

I am working to connect a PIX 501 VPN to a 3rd party Concentrator 3015. The concentrator requires all traffic to come from a single source IP. This IP address was assigned to me as z.z.z.z. I have successfully built the VPN and tested it by staticly mapping an internal IP with the assigned IP, but can't get the commands right for doing it with PAT so that multiple computers on the 10.x.x.0 subnet have . This Pix is also a backup for internet routing and has NAT working for that currently as well.

I can redirect traffic traffic from my subnet to the remote subnet over the VPN but I can't seem to get the PAT stuff right for the VPN using the assigned IP address. If someone can give me some pointers that would be great.

interesting config lines from current config with static mapping:

--------------------------------------------------------------------------

access-list 101 permit ip 10.0.0.0 255.255.255.0 y.y.y.0 255.255.255.0

access-list 102 permit ip host z.z.z.z y.y.y.0 255.255.255.0

access-list 103 permit ip host z.z.z.z y.y.y.0 255.255.255.0

ip address outside w.w.w.1 255.255.255.248

ip address inside 10.0.0.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 102

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) z.z.z.z 10.x.x.50 netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 w.w.w.2 1

crypto map mymap 10 match address 103

crypto map mymap interface outside

isakmp enable outside

Thanks!

Dave

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: PAT over IPSEC VPN (Pix 501)

Dave,

1) Get rid of the static. Use Global/NAT instead. The static will create a permanent

translation for your inside hosts and they will always be natted this way. Use

policy nat, instead as shown here:

no static (inside,outside) z.z.z.z 10.x.x.50 netmask 255.255.255.255 0 0

global (outside) 2 z.z.z.z netmask 255.255.255.255

nat (inside) 2 access-list 101

2) The statement, 'nat (inside) 0 access-list 2' will prevent nat of your interesting traffic.

Remove this becuase you need it to nat via the global/nat 2 map. (Typically, you only need

this if you are terminating VPN clients on your device and do not want inside traffic that

is destined for the vpn clients to be natted out the outside interface.)

3) With the Global/nat 2 statements, all traffic destined for the remote network will first

be translated to z.z.z.z. Then your crypto map using ACL 103 will encrypt all traffic that

sources from z.z.z.z destined for y.y.y.0 /24. This translation wil only occur when traffic is destined for the vpn.

I hope this helps. I have this working on numerous tunnels as you describe.

Jamison

4 REPLIES

Re: PAT over IPSEC VPN (Pix 501)

Dave

did you turn on NAT traversal ? When using PAT with IPSEC, you need to always add on isakmp nat-traversal command. Refer to the URL for the command reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1027312

Hope this helps. let us know if this resolves the issue. rate replies if found useful.

Raj

New Member

Re: PAT over IPSEC VPN (Pix 501)

Dave,

1) Get rid of the static. Use Global/NAT instead. The static will create a permanent

translation for your inside hosts and they will always be natted this way. Use

policy nat, instead as shown here:

no static (inside,outside) z.z.z.z 10.x.x.50 netmask 255.255.255.255 0 0

global (outside) 2 z.z.z.z netmask 255.255.255.255

nat (inside) 2 access-list 101

2) The statement, 'nat (inside) 0 access-list 2' will prevent nat of your interesting traffic.

Remove this becuase you need it to nat via the global/nat 2 map. (Typically, you only need

this if you are terminating VPN clients on your device and do not want inside traffic that

is destined for the vpn clients to be natted out the outside interface.)

3) With the Global/nat 2 statements, all traffic destined for the remote network will first

be translated to z.z.z.z. Then your crypto map using ACL 103 will encrypt all traffic that

sources from z.z.z.z destined for y.y.y.0 /24. This translation wil only occur when traffic is destined for the vpn.

I hope this helps. I have this working on numerous tunnels as you describe.

Jamison

New Member

Re: PAT over IPSEC VPN (Pix 501)

Thanks Jamison, you were spot on.

I removed the static mapping line and the nat (inside) 0 line and then added the two lines you recommended and it was perfect.

For anyone else that is curious, i am not using the line recommended by Raj for enabling NAT traversal over the VPN.

Thanks again!

Dave

New Member

Re: PAT over IPSEC VPN (Pix 501)

i ve exactly the same problem but i can t apply your solution. I dont understand how you remove the static rule even if you replace it with a nat rule with 101 access-list? how do you specify 10.x.x.50. i can t see it in 101 access-list.

How does it work? it would be great to know as i m very close to the solution

thanks

115
Views
0
Helpful
4
Replies