04-19-2007 12:45 PM - edited 03-11-2019 03:02 AM
I have several clients using Pix Tunnels for site to site connections. I have one client who cannot route my internal network address space do to an overlap issue. I have tried to setup the nat, but the traffic is not changing to the NAT address.
Here are the entry's I used (the tunnel is working):
access-list outside_cryptomap_1400 permit ip host 64.x.x.5 142.x.x.86 255.255.255.255
access-list inside-outbound_nat3_acl permit ip 10.0.0.0 255.0.0.0 142.x.x.86 255.255.255.255
nat (inside) 3 access-list inside-outbound_nat3_acl
global (outside) 3 64.x.x.5
Any help would be appriciated!
Thanks,
Robert
04-20-2007 03:23 AM
Try using a static mapping rather than a NAT to the outside interface.
04-20-2007 04:56 AM
Robert,
Posted the following not so long ago (Policy NAT), should do the trick for you...
Hope it helps and please rate posts if it does!!
Jay
04-20-2007 05:37 AM
This did not work, my problem is that my Nat ACL is getting Hits, but that is where it looks like the traffic stops.
Here is my Configs:
access-list inside-outbound_nat3_acl permit ip 10.x.x.0 255.0.0.0 142.x.x.86 255.255.255.255
access-list outside_cryptomap_1400 permit ip host 64.x.x.5 142.x.x.86 255.255.255.255
global (outside) 3 64.x.x.5
nat (inside) 3 access-list inside-outbound_nat3_acl
crypto map outside_map 1400 ipsec-isakmp
crypto map outside_map 1400 match address outside_cryptomap_1400
crypto map outside_map 1400 set peer 199.x.x.23
crypto map outside_map 1400 set transform-set ESP-3DES-MD5
crypto map outside_map 1400 interface outside
isakmp policy 1400 authentication pre-share
isakmp policy 1400 encryption 3des
isakmp policy 1400 hash md5
isakmp policy 1400 group 2
isakmp policy 1400 lifetime 86400
Any other ideas?
Thanks,
Robert
04-20-2007 05:45 AM
have you done any debugging or do you have any logs that you can post?
04-20-2007 10:33 AM
I have just been watching counts on access lists, do you have any other ideas on how to debug the issue?
I just started picking up the Network devices at my company, since our last Network Engineer moved on.
Robert
04-20-2007 06:03 AM
Attached, working configuration of policy NAT VPN in my lab. Thing to note:
If there's another IPSec tunnel that uses NAT exemption, there will be a "nat (inside) 0 access-list ..." line in the existing configuration.
The access-list this references needs a deny added to it that specifies any traffic from the LAN side going to the peer inside subnet is ignored, otherwise the NAT will not happen.
Hope this helps!
Jay
04-20-2007 10:32 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide