Re: Natting before vpn on pix 501

carllougher · ‎02-28-2005

Howdy,

Scenario:

I need to setup a Pix 501 with site to site vpn connection to the US.

Pix inside address - 192.168.100.0

Outside - PAT single ISP address

Qu:

How do I nat the inside address before sending traffic over the vpn as the US side is expecting traffic from 172.16.0.0 address range?

Thanks!!

mhussein · ‎02-28-2005

I think that is possible using policy nat (pnat). Let's say you want to nat 192.168.100.0/24 to 172.16.100.0/24 then send it thru the tunnel to the rest of the 172.16.0.0/16.

access-list pnat_first permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.0.0

static(inside, outside) 172.16.100.0 access-list pnat_first

Here traffic from 192.168.100.0/24 going to 172.16.0.0/16 will be pnat/sourced from 172.16.100/24

Note that the subnet mask in the "static" command is inferred from the acl's mask.

access-list 101 permit ip ip 172.16.100.0 255.255.255.0 172.16.0.0 255.255.0.0

crypto map aptmap 10 match address 101

Here, pnat'd traffic will go thru the tunnel, the source address is now 172.16.100.0/24. This is a partial config.

The assumption here is that policy nat will take precedence over encryption.

I haven't tried this (anything on a PIX 501 for that matter), so if you are up for an adventure, then have fun experimenting with these configs and share your findings.

Also read the reply from gfullage in this post, I think it is very helpful:

(very long url, I already gave the webmaster feedback on this)

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd771e7

HTH

Mustafa