Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
429
Views
0
Helpful
3
Replies

Pix NAT/PAT destination

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-12-2003 11:41 PM - edited ‎02-20-2020 11:02 PM

I have a pix 506 (ver 6.3) running PAT for internet access. I now need to create a VPN to a third party and need to NAT the source ip addresses. Is it possible to have separate NAT pool that is only used when the destination is the third party network ( which is using private addressing ). Basically, NAT based on destination ip address.

Alternatively the third party have a vpn 3k. Can they NAT my source ip's when the packets are decrypted at their end before passing them on to the final destination with a LAN-to-LAN NAT rule. I'm sure i read somewhere that altho a static mapping on the LAN-to-LAN NAT rule suggests this can be done it won't work.

Many thanks in advance

Jon

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ddawson
Level 1
Level 1

‎10-13-2003 09:14 AM

You want "Policy NAT", which is described in the PIX 6.3 docs here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113601

The VPN 3000 can't do NAT in that direction, so doing it in the PIX is your better (only) option.

HTH - Good luck!

View solution in original post

0 Helpful

Go to solution
rsommer
Level 1
Level 1

‎10-15-2003 05:55 AM

Ran into the same thing here. Version 6.3(3) (which is new!) has a new feature called policy NAT - which will do exactly what you want it to do.

Go to:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm

FYI - if you use PDM - you can't configure policy NAT via PDM 3.0(1) - unsupported. And if you configure policy NAT from CLI - you will lose capability to use PDM to configure. I'm trying to find out if there is a newer version of PDM that supports this.

Hope that helps.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ddawson
Level 1
Level 1

‎10-13-2003 09:14 AM

You want "Policy NAT", which is described in the PIX 6.3 docs here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113601

The VPN 3000 can't do NAT in that direction, so doing it in the PIX is your better (only) option.

HTH - Good luck!

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to ddawson

‎10-20-2003 07:18 AM

thanks for that. It did the trick fine.

0 Helpful

Go to solution
rsommer
Level 1
Level 1

‎10-15-2003 05:55 AM

Ran into the same thing here. Version 6.3(3) (which is new!) has a new feature called policy NAT - which will do exactly what you want it to do.

Go to:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm

FYI - if you use PDM - you can't configure policy NAT via PDM 3.0(1) - unsupported. And if you configure policy NAT from CLI - you will lose capability to use PDM to configure. I'm trying to find out if there is a newer version of PDM that supports this.

Hope that helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card