cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
503
Views
0
Helpful
4
Replies

Natting over IPSec Tunnel in PIX Firewall

netadmin
Level 1
Level 1

Hi,

We have a PIX 525 FW is IOS Ver. 6.3. We are using a 172.x.x.x network in our LAN. We need to establish a VPN tunnel from our firewall to one of our clients firewall. Our client is ready to allow access to his network only if our private ip address are natted to a public ip range. I would like to know how to configure the NAT and IPSec in this kind of scenario. We have done similar configurations using Checkpoint and it works well there. I tried a couple of configurations for NATting as follows over the IPSec tunnel.

access-list acl_outbound permit ip 172.16.1.0 255.255.255.0 10.100.25.0 255.255.255.0

nat (inside) 1 access-list acl_outbound

global (outside) 1 214.65.72.1

In the above configuration 172.16.x.x is my local network and 10.100.x.x is my clients network. When the access-list matches i am natting it to the public ip range. I am specifying the public ip range in my VPN interesting traffic. After i issue this command and save the configurations and when i try to open the PDM i get a message saying "Policy Based NAT is not supported" and the PDM doesnt allow me to do any changes through PDM.

Can somebody let me know how to configure a PIX in this kind of scenario.

Regards,

G.G. Venkat Raman,

email: venkatgg@gmail.com

4 Replies 4

gfullage
Cisco Employee
Cisco Employee

You're configuring the PIX correctly, assuming your crypto ACL then looks like the following:

access-list crypto permit ip host 214.65.72.1 10.100.25.0 255.255.255.0

Keep in mind that NAt happens BEFORE IPSec, so it is fine to NAt the traffic first, then use IPSec to define the already-NAT'd traffic.

The issue you're having with PDM is simply that PDM does not support any policy-NAt statements, so PDM will go into Monitor mode if you have this config in place. There is no way around it unfortunately.

For a listed of unsupported commands, see here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/rel_nts/pdmrn304.htm#wp145758

Hi,

You are right, my crypto access-list looks like the same way you have mentioned. But, can you tell me whether upgrading the PDM will help in this situation.

So, can you use this for overlapping IP address space by configuring each end to NAT to something else?

In other words, if each endpoint used 10.1.1.0/24 as their IP addressing scheme, could you set one end up to nat to 172.16.1.0/24 and the other to 172.16.2.0/24 and have it work?

PIX 1:

access-list crypto-2remote permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0

nat (inside) 2 access-list crypto-2remote

global (outside) 2 172.16.1.0 255.255.255.0

PIX 2:

access-list crypto-2local permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (inside) 2 access-list crypto-2local

global (outside) 2 172.16.2.0 255.255.255.0

k.subramaniam
Level 1
Level 1

Hi,

As per my understanding you need to set up the accesslist for intresting traffic in such a way that it specifiy the sourch as a public IP pool and destination as a 10.100.25.0/24. And also just try with following command.

nat (in) 1 172.16.1.0 255.255.255.0

global (out) 1 214.65.72.1

Hope this will resolve your issue.

Regards,

Mehul Patel

email : mehul123_patel@yahoo.com