Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX and VPN + NAT

Hello, I'm having this issue for quite a few days now.

I have a Cisco PIX 6.3.3, which currently has a VPN tunnel to another PIX. I have quite a few local networks behind my PIX, let's say for example 10.76.1.0/24.

The people from the other side of the tunnel only want to see the network 10.54.1.0 /24, so I have NAT configured to translate the traffic that goes to the tunnel. I've used policy NAT (nat with an ACL).

The thing is that when a server from the local network accesses the VPN first, it does not NAT ever again. I mean, it remains with the translated IP 10.54.1.1, for example, but does not NAT with the outside interface to access the Internet.

Here's a glimpse of the configuration:

global (outside) 14 10.54.1.0 netmask 255.255.255.0
global (outside) 1 interface

nat (inside) 14 access-list VPN
nat (inside) 1 10.76.1.53 255.255.255.255

access-list VPN permit ip 10.0.0.0 255.0.0.0 VPN-Network 255.255.0.0

I have read about the NAT priorities and in theory they are OK, but still don't work.

Any ideas?

Everyone's tags (3)
1 REPLY
New Member

Re: PIX and VPN + NAT

Instead of using nat-global (unless you want to PAT your traffic) for both translations, you should use static for the VPN translation.  As you only have /24 network in your inside network you should restrict your VPN ACL to match specific traffic.

Try changing your configuration so it looks like this:

access-list VPN permit ip 10.76.1.0 255.255.255.0 VPN-Network 255.255.0.0
static(inside,outside) 10.54.1.0 access-list VPN
nat (inside) 1 10.76.1.53 255.255.255.255
global (outside) 1 interface

You can try into that.

- Yamil

1520
Views
0
Helpful
1
Replies