Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
499
Views
0
Helpful
5
Replies

Natting outside hosts for access to inside hosts on PIX

lisbeth.jacobsen
Level 1
Level 1

‎04-07-2005 09:59 PM - edited ‎02-21-2020 12:03 AM

Hi,

I am trying to translate a host coming in over a VPN on a PIX running 6.3(1) with no success.

I have tried a static mapping and also a nat with a global as follows:

nat (outside) 3 10.10.10.0 255.255.255.0 outside 0 0

global (inside) 3 192.168.168.169

or:

static (outside,inside) 192.168.168.169 10.10.10.10 netmask 255.255.255.255 0 0

I have also added access-list statements to allow the natted address (192.168.168.169) in on the external interface

and added routes via the outside interface for the un-natted address

I am not sure if I have the logic right

0 Helpful
5 Replies 5

ehirsel
Level 6
Level 6

‎04-08-2005 04:15 AM

Does the vpn connection terminate on the pix, or is it just passing thru the pix to an inside vpn gateway?

0 Helpful

lisbeth.jacobsen
Level 1
Level 1
In response to ehirsel

‎04-08-2005 05:38 AM

It terminates on the PIX

0 Helpful

bhatok
Level 1
Level 1

‎04-08-2005 12:39 PM

I'm not sure if I follow what you are trying to do but here is my take. You have users connecting to your network via a VPN to your PIX. Once connected your users are given 192.168.168.169 as their address. These users cannot access resources behind the PIX.

If your users are successfully connecting to the VPN and their VPN IP is 192.168.168.169. You can create an access-list to allow this IP access to your internal network:

access-list 105 permit ip 10.10.10.0 255.255.255.0 192.168.168.169 255.255.255.255

nat (inside) 0 access-list 105

Now the VPN user with IP 192.168.168.169 is granted access to 10.10.10.0 (your internal network).

0 Helpful

lisbeth.jacobsen
Level 1
Level 1
In response to bhatok

‎04-08-2005 04:05 PM

Let me clarify.

I have a vpn user coming in with a 10.x.x.x/24 address which I want to translate to a 192.x.x.x/24 address for access to another 172.x.x.x address on my internal network

My problem is that I am not doing the natting correctly and the vpn user continues to be seen with a 10.x.x.x address

0 Helpful

ehirsel
Level 6
Level 6
In response to lisbeth.jacobsen

‎04-14-2005 04:06 AM

Try this:

Create these access-lists:

access-list vpn_innat_01 permit ip 10.x.y.0 255.255.255.0 172.a.b.c 255.sm.sm.sm

access-list vpn_outnat_01 permit ip 172.a.b.c 255.sm.sm.sm 192.168.y.0 255.255.sm.sm

Create these statics:

static (out, in) 192.168.y.0 access-list vpn_innat_01

static (in, out) 172.a.b.c access-list vpn_outnat_01

You may need to also add an entry to the acl applied to the outside interface to allow the vpn connections to access the 172.x.x.x addresses unless you have the sysopt permit-ipsec option set.

Try these and let us know how it proceeds.

The acls and statics that I am having you enter allow the vpn connections to get nat'ed when accessing the 172.x.x.x hosts and allow addressability of those hosts to the vpn users. If you already have a static (in. out) 172.x.x.x 172.x.x.x statement already do not add the static (in, out) that I specified as it is already present.

These only work if you are running pix 6.3.3 code or higher.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card