Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
0
Helpful
2
Replies

pix515 and natting IPSEC VPN to 2 ISP

aliverlex
Level 1
Level 1

‎07-30-2008 11:21 PM - edited ‎03-03-2019 10:58 PM

Good day!

We have PIX515 which is connected by one inside interface to inside network and terminates IPSEC VPN sessions.

Then we NAT inside PIX IP to internet on router 2851

Everything works fine.

Now we need to NAT this PIX to second ISP (with different IP). Both ISP now is connected to one Cisco 2851. And we have configured standard routing with route-maps and it works ok.

How can we do it?

I've tried to use route-maps with NAT, but it don't work.

We had idea to assign second IP-address to PIX, but it's not support this.

I've even tried to use second PIX interface connected to second VLAN, but routing wasn't work correctly (PIX responds only to one ip-address, to which interface is configured a default route).

My config in 2851 is:

ip nat inside source static 192.168.0.1 xx.xx.xx.zz route-map vpn_isp1 reversible extendable

ip nat inside source static 192.168.0.1 yy.yy.yy.qq route-map vpn_isp2 reversible extendable

route-map vpn_isp1 permit 10

match ip address for_nat

set ip next-hop xx.xx.xx.xx

route-map vpn_isp2 permit 10

match ip address for_nat

set ip next-hop yy.yy.yy.yy

Thanks!

Labels:
0 Helpful
2 Replies 2

mchin345
Level 6
Level 6

‎08-06-2008 10:25 AM

With the help of Policy NAT, you can create multiple NAT or static statements.

Cisco PIX Firewall and VPN Configuration Guide, Version 6.3.

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1113601

Use this Using NAT and PAT Statements on the Cisco Secure PIX Firewall example guide.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml

0 Helpful

aliverlex
Level 1
Level 1
In response to mchin345

‎08-06-2008 10:46 PM

Thanks for reply, Mary!

I don't need PIX NAT, I need 2851 NAT.

Question was: how to NAT (on 2851) one IP in inside net to two IP in outside? It needs for access this one inside IP from two different outside IP different ISPs.

Second inside IP is not possible to assign to device (because it is PIX).

The main goal is to make redundant VPN, terminated by PIX.

May be more correctly is to connect PIX to two outside ISP through two VLANs and to setup tracking for default route?

Thanks!

0 Helpful
Customers Also Viewed These Support Documents