Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX - VPN NAT

We have a Pix firewall running 6.3(3),currently it is configured so that inside desktops NAT as PIX Outside Interface IP and hit internet .We are planning to establish a Site-Site VPN btw us and another company ,The other company is insisting that we NAT the Desktops to Internet IP before entering the IPSEC Tunnel ,however desktops should continue to hit internet as PIX outside INT IP . Can you plz point me to a configuration example or commands that can make this happen . Thanks in Advance

Regards ,

Som

3 REPLIES
Hall of Fame Super Blue

Re: PIX - VPN NAT

Hi Som

You can use the same IP address attached to the Pix outside interface for both internet traffic and VPN traffic.

Nat happens before the traffic is encrypted and sent down the tunnel so the key thing is to make sure that your crypto access-list uses the public IP address rather than the private IP's. So lets say

local network = 192.168.5.0/24

remote network = 172.16.5.0/24

Public IP on outside of your PIX = 195.177.10.12

So when your clients go to the Internet they get natted to 195.177.10.12.

You can use this same address in your crypto access-list ie.

access-list vpn_traffic permit ip host 195.177.10.12 172.16.5.0 255.255.255.0

HTH

Jon

New Member

Re: PIX - VPN NAT

Jon ,

Thanks for replying me , I think i did not explain it right ,the requirment of the Other Company is , Let say the Inside IP of the desktop ip 192.168.5.8 ,if it needs to hit the internet , Desktop will NAT's as 195.177.10.2 (pix Outside INT), however if it needs to go into the IPsec tunnel , it needs to NAT as 195.177.10.15 (for Eg). Is this do-able ?

Regards

Som

Hall of Fame Super Blue

Re: PIX - VPN NAT

Som

Okay, i understand.

Yes this is possible. You need to use policy NAT. So

internal net = 192.168.5.0/24

remote net = 172.16.5.0/24

Public IP on pix = 195.177.10.15

access-list vpnnat permit ip 192.168.5.0 255.255.255.0 172.16.5.0 255.255.255.0

nat (inside) 2 access-list vpnnat

global (outside) 2 195.177.10.15

and then your crypto map access-list looks like

access-list vpntraffic permit ip host 195.177.10.15 172.16.5.0 255.255.255.0

Note that i have used nat (inside) 2 and global (outside) 2 ie. i have used the id of 2. You need to choose an id that is not currently in use.

HTH, let me know how you get on

Jon

240
Views
5
Helpful
3
Replies