02-11-2008 07:43 AM
I'm trying to setup a VPN configuration with a company that has a 3020 Concentrator and we have a PIX501.
We currently use PAT for all communications with the outside world (except with a few servers that have their own dedicated IPs, which we NAT). When traveling over the VPN tunnel to the 3020, I'd like our hosts to NAT to an address range that is internal to the remote network (they've requested this). Is it possible to set this up?
pk
02-11-2008 09:43 AM
I don't know if that would work or not. On both sides your source and destination networks for the VPN would be the same then, and you might get some undesirable results.
You could NAT your network to some other network though that they weren't using on their side, and that wouldn't be a problem. To do this, you would create some sort of policy nat statement using an ACL. Then for your crypto ACL, you just match on traffic from the nat'ed (global) address space.
02-11-2008 09:59 AM
Could you provide an example? I'm having difficulty figuring out how to tell the PIX when to use the NAT and when to use the PAT for the hosts that will be accessing the VPN tunnel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide