Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1339
Views
0
Helpful
4
Replies

NAT over IPSEC

d.majumdar
Community Member

‎07-01-2004 09:14 AM - edited ‎02-21-2020 01:13 PM

Hi,

We are wanting to configure site to site tunnel between our PIX and clients checkpoint firewall.

As per the clients internal policy, they allow only pubilc ip addresses to traverse thru the IPSEC VPN.

Is there a possibility of sending public addresses thru PIX over IPSEC VPN?

rgds,

DM

Labels:
0 Helpful
4 Replies 4

ehirsel
Level 11
Level 11

‎07-01-2004 09:54 AM

Yes, you can NAT/PAT to a public ip address on the pix prior to sending the traffic over the ipsec vpn.

Here is an example based upon one of my org's site vpns that has the same requirement. I am using policy-based pat to accomplish this:

nat (inside) 34 access-list remotenet_nat_01 0 0

global (outside) 34 a.b.c.d - where a.b.c.d is what the remote net sees you as

access-list remotenet_nat_01 permit ip yi.yi.yi.yi ym.ym.ym.ym r.r.r.r rm.rm.rm.rm - where yi and ym are your network and net mask before nat/pat and r and rm is for the remote network

access-list cmap_acl permit tcp host a.b.c.d r.r.r.r rm.rm.rm.rm - this is the acl that defines interesting traffic for ipsec and the other end needs a mirror image of this acl in their crypto map. In this acl, a.b.c.d, which is the address after nat/pat is used.

Let me know if this helps.

I hope this helps

0 Helpful

d.majumdar
Community Member
In response to ehirsel

‎07-02-2004 12:54 AM

Hi,

Thanks for the help.

But can i send mulitple internal users using one single public IP over the tunnel.

0 Helpful

sateesh_k10
Level 2
Level 2
In response to ehirsel

‎07-02-2004 01:30 PM

hi ehirsel

I am planning to implment NAT over Ipsec..So please give the configuration example

while implementing the NAT over Ipsec i have to enable NAT-T(NAt-Transparency) in Pix??

Regards

sat

0 Helpful

ehirsel
Level 11
Level 11
In response to sateesh_k10

‎07-04-2004 07:20 PM

You should not have to config the NAT-T on the pix, as you have a site-to-site tunnel, not a remote-access one. The only VPN client of the PIX is the checkpoint firewall, so NAT-T should not be used, unless the checkpoint admin want to use it (normally site-to-site vpns use native IPSEC AH and ESP protocols instead of tunneling them thru udp or tcp packets).

Yes, you can have multiple clients use the same address. In the example I gave in my prior post, I assumed that the clients were behind the pix, if they are behind the checkpoint, then the checkpoint will employ PAT to give each client the same ip address and the pix will use that IP as the destination host in the acl that defines interesting traffic. So you have this cmap acl:

access-list cmap permit ip my-net my-net-mask host clinet-pat - where client-pat is what the checkpoint assigns.

You won't need to implement the policy-nat acl, nat (inside) and global (outside) statements that I had in my original example because the clients are remote, not local.

However the peer and other crypto map parms won't change.

0 Helpful
Customers Also Viewed These Support Documents