PIX NAT & IPSec

jlixfeld · ‎07-02-2004

[Host1]--[PIX1]-O=(IPSEC)=O-[PIX2]--[HOST2]--Internet

Host2 has 2 interfaces, A & B. Interface A is connected to the internet, interface B is connected to PIX2. Host2 defaults via Interface A.

Host1 needs to access Host2 over the IPSec tunnel between the two PIX'. Since Host2 defaults through InterfaceA but traffic from Host1 comes through InterfaceB, is it possible to have PIX2 do some sort of NAT whereby the decrypted IPSec traffic from Host1 is NAT'd to be on the same network as InterfaceB on Host2? Static routes on Host2 to send traffic back to Host1 is not an optional workaround.

Thanks in advance for any suggestions...

ehirsel · ‎07-04-2004

If you are running pix 6.3 code or hihger on PIX2 then you can employ destination NAT'ing. If you do not want the source hosts to be nat'ed to the pix2 interface address that connects to host2 then you will also need to enable the sysopt proxyarp feature on that interface to allow PIX2 to respond to ARP requests that HOST2 will generate.

You can do a static one-to-one xlate if there are fewer hosts than the PIX2-HOST2 subnet can contain, or do a many-to-one xlate if you want HOST2 to see all clients as coming from the same IP address.

To take the simplest case, using the one-to-one static code this on PIX2:

sysopt proxyarp inside - assumes HOST2 is off of inside interface

static (outside, inside) a.b.c.d w.x.y.z netmask 255.255.255.255 where x.z.y.z is the address of HOST1 as seen by PIX2 on the outside interface, and a.b.c.d is an address on the PIX2-HOST2 subnet and is the address that HOST2 will see HOST1 as.

Let me know if this helps.