Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
0
Helpful
4
Replies

PIX to PIX IPSEC VPN with NAT - overlapping addresses

jolangford
Level 1
Level 1

‎04-27-2005 09:56 AM - edited ‎02-21-2020 01:44 PM

I have a sitution where I need to connect to a partner with IPSEC VPN on an existing PIX that has existing site-to-site tunnels to our remote offices. The problem is that the partner also uses 10.x.x.x address internally. I'm struggling to find any documentation to do static NAT with IPSEC tunnels.

The setup is (I have two servers talking to one on the other end:

10.100.1.10 -- MyPIX -----OtherPIX - 200.1.1.10 (other 10.x.x.x internally).

10.100.1.20 -- MyPIX -----OtherPIX - 200.1.1.10 (other 10.x.x.x internally).

I can NAT my addresses to registered IP address (210.1.41.100 and 210.1.41.101 but I'm unsure on the actual config.

If I set up static NATs, do I use the sytax static (inside, outside) - I'm unsure as it will actully go to a VPN tunnel.

When I define the "intereseting traffic" do I use the real or NAT addresses?

Note: I have changed the IP addreses in this example.

Labels:
0 Helpful
4 Replies 4

s.uslay
Level 1
Level 1

‎04-27-2005 04:15 PM

I also need some doco on VPN tunnels with static NAT on the same PIX. The existing docos are either wrong or very old.

Serhat

0 Helpful

saurav.khanna
Level 1
Level 1

‎04-28-2005 11:55 PM

Here is what you are looking at:

10.x.x.x ---Your PIX-------Internet------Other PIX----10.x.x.x

You can overcome this problem by apllying static nat translations on bothe the ends i.e. :

Your PIX configuration:

access-list 101 permit ip 10.x.x.x 255.255.255.0 192.168.1.0 255.255.255.0

static (inside,outside) 192.168.2.0 access-list 101

What it means is that whenever traffic from your network goes out to 192.168.1.0 then it gets translated to 192.168.2.0.

Other PIX configuration:

access-list 101 permit ip 10.x.x.x 255.255.255.0 192.168.2.0 255.255.255.0

static (inside,outside) 192.168.1.0 access-list 101

What it means is that whenever traffic from your network goes out to 192.168.2.0 then it gets translated to 192.168.1.0

One thing you need to make sure is that you must have a code of 6.3.3 or greater to have this functionality.

Let me know if things are not clear.

Saurav.

0 Helpful

pacafic_croc
Level 1
Level 1
In response to saurav.khanna

‎05-01-2005 06:43 AM

What Saurav says is correct and note that NAT occurs before encryption so what you define in the access-list for the interesting traffic is going to be the NAT addresses and not the private addresses.

Jatinder

0 Helpful

pacafic_croc
Level 1
Level 1
In response to saurav.khanna

‎05-01-2005 06:50 AM

What Saurav says is correct. Also note that since encryption occurs after the NAT process so you will have to use the translated (global) addresses in the access-lists for the interesting traffic.

Jatinder

0 Helpful
Customers Also Viewed These Support Documents