Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN with static NAT

Hello,

The network that I have is this

host1---/pix1/---/router/----/pix2/--/host2/

I want to create VPN between to PIXes.

host2 and all of the PIX2 interfaces have private IPs but for the sake of VPN and mutual communication between host1 and host2 I need publis addresses.

I have statically translated PIX2 outside IP to public on the router. I have statically translated host2 private IP to public.The VPN tunnel goes up, but the hosts do not communicate. I have for the sake of testing, permited all IP traffic so the problem is not in the ACLs.

When I set up VPN using private ip on PIX2 and no nat on router everything works fine so I have ruled out the option of misconfiguring the pixes.

I have put the appropriate static routes on the router. I am able to ping host1 and host2 from the router.

Are there any additional commands I should use on my router?

6 REPLIES
Silver

Re: VPN with static NAT

Outside interface would generally have the public ip address in the same subnet as router.Static ip address could be configured for the system to communicate.Readd the NAT on the router.It should work fine

New Member

Re: VPN with static NAT

Actually it did not. I tried what you have suggested. In the end, what worked was changing the IOS from 12.4 to 12.3

Worked like a charm.

Silver

Re: VPN with static NAT

YOu have to keep the hosts IPs private. You need to NAT the PIXs outside interfaces to public on the router.

Then you establish the VPN between the PIXs public IPs. Once established the IPSEC sa or ACLs should contain the private subnets and also NAT0 for them.

Let me know if this helps,

Regards,

New Member

Re: VPN with static NAT

I cannot keep the hosts on private IPs because the other side of my tunnel is requesting me to use pblic IPs for the hosts. But anyway, I have done as you have suggested only without nat0 (have put static NAT)and it worked on 12.3 and on 12.4 it did not work)

Silver

Re: VPN with static NAT

Hello,

Sorry didn't get what you tested. If you need to have public IPs for those hosts you should be able to do so by NATing them to public IPs and not using the NAT(0) for the ACL.

One important thing to note is that if you don't use NAT(0) the outside ACL applied on the outside interface should allow traffic from host 1 to host 2. This is because when using the NAT(0) the PIX knows that it does not have to match the traffic applied on the outside interface. If you don't use the NAT(0) you have to add a line that allows host2 to host 1 communication on the ACL applied on the outside. I guess this why it didn't work with you from the first time.

Let me know if the problem is solved,

Regards,

Silver

Re: VPN with static NAT

Any news?

129
Views
0
Helpful
6
Replies
CreatePlease to create content