https://community.cisco.com/t5/network-security/pix-vpn-nat-problem/m-p/683410#M1035433 <P></P><P>hi all,</P><P></P><P>i am trying to configure a vpn setup, where i have configured the crypto map and isakmp configuration but as for the acl and natting problem, i face the following issue.</P><P></P><P>I want to establish a VPN tunnel from a PIX to another IPSec gateway that the local host IP gets natted as following:</P><P></P><P>Local Host: 172.16.10.1. This host should be</P><P>natted to an IP, say, 10.10.10.2</P><P></P><P>Destination host: 172.20.10.2</P><P>Remote Peer: 209.206.81.71</P><P></P><P>User from 172.16.10.1 should only be able to access the FTP service on the destination host. </P><P></P><P>Could someone advise me on the config to be done on the PIX? I know the IKE and IPSec config to be done but how do I handle access-lists and NAT?</P> Mon, 11 Mar 2019 08:57:56 GMT kasame141006 2019-03-11T08:57:56Z https://community.cisco.com/t5/network-security/pix-vpn-nat-problem/m-p/683410#M1035433 <P></P><P>hi all,</P><P></P><P>i am trying to configure a vpn setup, where i have configured the crypto map and isakmp configuration but as for the acl and natting problem, i face the following issue.</P><P></P><P>I want to establish a VPN tunnel from a PIX to another IPSec gateway that the local host IP gets natted as following:</P><P></P><P>Local Host: 172.16.10.1. This host should be</P><P>natted to an IP, say, 10.10.10.2</P><P></P><P>Destination host: 172.20.10.2</P><P>Remote Peer: 209.206.81.71</P><P></P><P>User from 172.16.10.1 should only be able to access the FTP service on the destination host. </P><P></P><P>Could someone advise me on the config to be done on the PIX? I know the IKE and IPSec config to be done but how do I handle access-lists and NAT?</P> Mon, 11 Mar 2019 08:57:56 GMT https://community.cisco.com/t5/network-security/pix-vpn-nat-problem/m-p/683410#M1035433 kasame141006 2019-03-11T08:57:56Z https://community.cisco.com/t5/network-security/pix-vpn-nat-problem/m-p/683411#M1035434 <HTML><HEAD></HEAD><BODY><P>hi all,</P><P></P><P>for those who were unable to understand my question and even for those were about to answer. I have finally completed what i wanted to do. so i thought i should share it.</P><P></P><P>i did the following:</P><P></P><P>\\-Define a conditional nat process to nat 172.16.10.1 to 10.10.10.2, but only if going to destination 172.20.10.2 </P><P>access-list conditional_nat permit ip host 172.16.10.1 host 172.20.10.2</P><P>global (outside) 20 x.x.10.2</P><P>nat (inside) 20 access-list conditional_nat</P><P></P><P>\\-Define traffic to be encrypted. This now includes the natted 10.10.10.2 address and not the original host IP</P><P>access-list special_vpn permit ip host 10.10.10.2 host 172.20.10.2</P><P>crypto map yourmap match address special_vpn</P><P>crypto map yourmap set peer 209.x.x.71</P><P></P><P>\\-- restrict outbound VPN to only ftp</P><P>access-list outbound_restrict permit tcp host 172.16.10.1 host 172.20.10.2 eq ftp</P><P>access-list outbound_restrict permit tcp host 172.16.10.1 host 172.20.10.2 eq ftp-data</P><P>access-list outbound_restrict deny ip host 172.16.10.1 host 172.20.10.2</P><P>access-list outbound_restrict permit ip any any</P><P>access-group outbound_restrict in interface inside</P><P></P><P>hope this helps to anyone like me. </P></BODY></HTML> Mon, 20 Nov 2006 05:48:05 GMT https://community.cisco.com/t5/network-security/pix-vpn-nat-problem/m-p/683411#M1035434 kasame141006 2006-11-20T05:48:05Z