cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
635
Views
0
Helpful
5
Replies

Site-to-Site with NAT on a PIX

gdsnell
Level 1
Level 1

I have an internal workstation that needs to be NATed to an address separate from the Internet global pool that needs to communicate over a site-to-site VPN tunnel but still use the Internet global pool when accessing the Internet. The tunnel is created but I have not been able to NAT the workstation for the tunnel and the Internet simultaneously. Any suggestions?

5 Replies 5

stevensavage
Level 1
Level 1

hi gdsnell

Have a look at the below;

Site A 10.10.10.0

Site B 10.10.20.0

nat pool on both pixes to the internet

nat (inside) 1 10.10.10.0 255.255.255.0 0 0

global (outside) 1 [public ip range]

Then create a no-nat pool so these ips can talk to each other over the tunnel

nat (inside) 0 access-list nat0

access-list nat0 permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0

this way, Internet bound traffic will still be natted to the global range but internal (site to site) traffic will keep its 10.10 address. Setup accordingly on the opposite site and all good.

The Internet portion is correct but I need to NAT a single internal address to an unique address that is not part of the public address space so only it can transverse the site to site tunnel while still being able to use the Internet NAT/global range for it's Internet bound traffic.

If you want just one workstation from Site A for example to access site B and also maintain internet natting for all internal hosts:

nat (inside) 1 10.10.10.0 255.255.255.0 0 0

global (outside) 1 [public ip range]

#Nats all internet traffic

nat (inside) 0 access-list nat0

access-list nat0 permit ip host 10.10.10.5 host 10.10.20.10

#Allows 10.10.10.5 access 10.10.20.10 across the tunnel without natting it

hth

This one workstation needs to be NATed to an unique address to access site B and also NATed with all the other workstations for Internet access.

What ip address do you want to nat the workstation to - and if you don't mind me asking, why do you wish to nat it? It will be able to access the traffic on the other network with no nat. I am just curious

Review Cisco Networking for a $25 gift card