03-06-2012 06:19 AM
In reading Cisco document 99122 (link below) regarding Site to Site (L2L) IPsec VPN with Policy NAT Configuration Example, I'm confused with the access list on PIX A "access-list new extended permit ip 172.18.1.0 255.255.255.0 10.1.0.0 255.255.255.0''. Would appreciate clarification of this access list as I see it translating traffic destined to 10.1.0.0 as coming from IP address (or network) 172.18.1.0. Just having a tough time grasping all the NAT types in conjunction with VPN.
Thanks for any help.
Jeff
Solved! Go to Solution.
03-07-2012 04:46 AM
For the PIX-B Firewall it appears, as if the remote VPN-tunnel peer’s (i.e. PIX-A’s ) remote lan segment is “172.18.1.0 255.255.255.0” but in reality it is not the case, as you can see actual lan segment for PIX-A is “192.168.1.0/24” basically you fool the PIX-B to think that remote lan segment is “172.18.1.0 255.255.255.0”. That happens due to policy nat as shown below.
access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0
static (inside,outside) 172.18.1.0 access-list policy-nat
This policy nat says, if users from "192.168.1.0 255.255.255.0" need access "10.1.0.0 255.255.255.0" which located behide the PIX-B, make users appears as if from “172.18.1.0 255.255.255.0”. Policy nat does that.
This maybe a case where a duplicate lan segment already exists on PIX-B side as “192.168.1.0 255.255.255.0”
Hope that answers your question.
Thanks
Rizwan Rafeek
03-07-2012 04:46 AM
For the PIX-B Firewall it appears, as if the remote VPN-tunnel peer’s (i.e. PIX-A’s ) remote lan segment is “172.18.1.0 255.255.255.0” but in reality it is not the case, as you can see actual lan segment for PIX-A is “192.168.1.0/24” basically you fool the PIX-B to think that remote lan segment is “172.18.1.0 255.255.255.0”. That happens due to policy nat as shown below.
access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0
static (inside,outside) 172.18.1.0 access-list policy-nat
This policy nat says, if users from "192.168.1.0 255.255.255.0" need access "10.1.0.0 255.255.255.0" which located behide the PIX-B, make users appears as if from “172.18.1.0 255.255.255.0”. Policy nat does that.
This maybe a case where a duplicate lan segment already exists on PIX-B side as “192.168.1.0 255.255.255.0”
Hope that answers your question.
Thanks
Rizwan Rafeek
03-08-2012 05:39 AM
Rizwan, thank you for the reply and it would be great if there was a book or tech document showing simple examples like the one you provided of all the different NAT types and relation to VPN as many of the Cisco docs can get too involved or blurry with the examples or lack of explanations.
Thanks again,
Jeff
03-07-2012 07:53 PM
Please rate helpful post.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide