Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
384
Views
0
Helpful
3
Replies

Source-PAT outside traffic through PIX

adil.nasser3
Level 1
Level 1

‎02-23-2013 07:45 PM - edited ‎03-11-2019 06:04 PM

Hello All,

I have been tasked with building a vpn tunnel with a partner company between our company's PIX firewall and the other company's ASA's firewall.  The traffic flow will be Partner A company users will be accessing my company's Citrix server.  I want to source-pat the partner company user traffic to my company's PIX inside interface as it enters my LAN to access my company's Citrix server.  The partner company will be PAT'ing their user traffic to a single ip address - let's say for discussion purpose it is 68.108.244.25.  So there will be site-to-site vpn configuration and nat configuration required to be performed to enable this traffic flow according to the above requirements.  I am comfortable with the site-to-site vpn configuration tunnel so I don't think it is necessary to post this portion of the configuration to be reviewed by this form.  What I do need help with is the NAT portion of the configuration.

{My Company's Citrix Server} ---------<inside ifc>-[PIX525]-<outside ifc>--------(internet)------{Partner Company A host PC's}          

   10.100.12.103                                                                                          68.108.244.25

My proposed configuration to enable nat'ing (or pat'ing) Partner A user traffic to my PIX firewall's inside interface is the following:

global (inside) 9 interface

nat (outside) 9 access-list PartnerA_source_nat

access-list extended PartnerA_source_nat permit host 68.108.244.25 host 10.100.12.103

Can someone let me know if the above configuration is correct or please feedback/correction?

Thanks,

Adil

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎02-23-2013 10:49 PM

I will be honest with you, I have not read the entire post, just saw the NAT config and saw the keyword missing,

Add the following:

nat (outside) 9 access-list PartnerA_source_nat outside

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

adil.nasser3
Level 1
Level 1
In response to Julio Carvajal

‎02-25-2013 12:43 PM

Thank you Jcarvaja,

I do have one additional question.  Inside the VPN encryption domain, do I use the real source ip address of PartnerA as the destination or the NAT'ed ip address?

Thanks in advance,

Adil

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to adil.nasser3

‎02-25-2013 01:33 PM

Hello,

You should point to the NAT IP address, as they will receive the traffic from that IP address,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card