topic Re: PIX - NAT- 1750? Can it Be Done. in Network Security

PIX - NAT- 1750? Can it Be Done.

jerry.roy — Fri, 21 Feb 2020 05:48:19 GMT

Hello Forum,

Can I place a 1750 Behind a PIX 520 and have the PIX NAT a Public IP Address on the Outside Interface (Internet) to a Private IP Address on the pix/inf2 and have a IPSec Tunnel come up and pass traffic? My guess is that it won't work.

If Not, what would be the recommended design?

Best Regards,

Jerry Roy

jroy@axcelerant.com

Re: PIX - NAT- 1750? Can it Be Done.

bstremp — Fri, 15 Jun 2001 20:12:17 GMT

Yes, that should work fine. Not sure what your concerns are with the 1750 in the topology. Is it just routing for your LAN?

Re: PIX - NAT- 1750? Can it Be Done.

rbharania — Tue, 24 Jul 2001 06:43:24 GMT

The Answer to your question depends on where the crypto endpoint is.

If the 1750 is an endpoint of the crypto tunnel (and the PIX doing NAT is just firewalling)

then IPSec in certain fashions will work.

IKE is UDP 500 and is NAT-friendly - no problem.

AH is IP protocol 51 - and authenticates most of the IP header. This is a problem. Not NAT

friendly

ESP (protocol 50) provides both authentication and encryption functions. In tunnel mode, you'll

have no problems either (the IP address fields in the header are considered mutable)

If the PIX is the endpoint, then there is no problem with anything because the PIX order of

operations is such that NAT occurs before IPSec on the egress interface.

-Rakesh