Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

nat and ipsec on pix 6.2

Hello,

Will the pix perform NAT before sending traffic to an IPSEC tunnel?

specifically:

========================================

name 172.28.2.24 EORLA

name 10.1.0.19 WHBIZTALK

access-list 150 permit ip host WHBIZTALK host EORLA

pdm location 172.28.2.24 255.255.255.255 outside

pdm location 10.1.0.19 255.255.255.255 inside

static (inside,outside) 10.230.32.11 10.1.0.19 netmask 255.255.255.255 0 0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map WDMHMAP 85 ipsec-isakmp

crypto map WDMHMAP 85 match address 150

crypto map WDMHMAP 85 set peer 10.24.8.17

crypto map WDMHMAP 85 set transform-set ESP-3DES-SHA

crypto map WDMHMAP interface outside

========================================

what I need to see in the ipsec tunnel is traffic with src = 10.230.32.11 and

dest = 172.28.2.24

thanks!

4 REPLIES
Cisco Employee

Re: nat and ipsec on pix 6.2

Based just upon the configuration that you have posted here, Yes, the IP Address 10.1.0.19 will be NATTed to 10.230.32.11.

Since you want to see IPSEC Tunnel with src = 10.230.32.11 and dest = 172.28.2.24, you need to reconfigure the ACL 150 to

access-list 150 permit ip host 10.230.32.11 host EORLA

Regards,

Arul

** Please rate if it helps **

New Member

Re: nat and ipsec on pix 6.2

I should clarify, the ipsec tunnel is an existing tunnel and has as its endpoints:

local: 10.230.32.3 ie. pix outside interface

remote: 10.24.8.17

...I want to direct traffic from 10.1.0.19 to 172.28.2.24 into the ipsec tunnel, but, I need to nat 10.1.0.19 to 10.230.32.11.

Hall of Fame Super Blue

Re: nat and ipsec on pix 6.2

Hi

Yes you can NAT the source or destination IP addresses before they enter the IPSEC tunnel. The config above looks fine - is it not working ?

Jon

New Member

Re: nat and ipsec on pix 6.2

working fine, thanks very much !!

237
Views
0
Helpful
4
Replies
CreatePlease to create content