Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN - proxy public address for NAT

I have a /29 public block on a PIX515

A partner says I must proxy/NAT one of the public IPs in the tunnel instead of the internal private addresses

Do I just need the additional global and a static NAT for the tunnel?

1 REPLY
Cisco Employee

Re: VPN - proxy public address for NAT

You would need to use policy nat/static nat in order to differentiate when traffic will use that IP address only when going to the tunnel, something like

access-list VPN permit ip

static (inside,outside) Y.Y.Y.Y acces-list VPN

and the crypto map will use that Y.Y.Y.Y as the source of the vpn traffic.

Now one little catch here, if you are going to use a single ip address, then PAT is required and the config will change, causing this not being bidirectional (only replies to traffic from your inside network will come back, not traffic originated from the remote network) for PAT use

access-list VPN permit ip

nat (inside) X access-list VPN

global (outside) X Y.Y.Y.Y

hth

Ivan

179
Views
0
Helpful
1
Replies