PIX and VPN + NAT

damianggg · ‎01-06-2010

Hello, I'm having this issue for quite a few days now.

I have a Cisco PIX 6.3.3, which currently has a VPN tunnel to another PIX. I have quite a few local networks behind my PIX, let's say for example 10.76.1.0/24.

The people from the other side of the tunnel only want to see the network 10.54.1.0 /24, so I have NAT configured to translate the traffic that goes to the tunnel. I've used policy NAT (nat with an ACL).

The thing is that when a server from the local network accesses the VPN first, it does not NAT ever again. I mean, it remains with the translated IP 10.54.1.1, for example, but does not NAT with the outside interface to access the Internet.

Here's a glimpse of the configuration:

global (outside) 14 10.54.1.0 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 14 access-list VPN
nat (inside) 1 10.76.1.53 255.255.255.255
access-list VPN permit ip 10.0.0.0 255.0.0.0 VPN-Network 255.255.0.0

I have read about the NAT priorities and in theory they are OK, but still don't work.

Any ideas?

yamramos.tueme · ‎01-07-2010

Instead of using nat-global (unless you want to PAT your traffic) for both translations, you should use static for the VPN translation. As you only have /24 network in your inside network you should restrict your VPN ACL to match specific traffic.

Try changing your configuration so it looks like this:

access-list VPN permit ip 10.76.1.0 255.255.255.0 VPN-Network 255.255.0.0
static(inside,outside) 10.54.1.0 access-list VPN
nat (inside) 1 10.76.1.53 255.255.255.255
global (outside) 1 interface

You can try into that.

- Yamil