04-27-2005 09:56 AM - edited 02-21-2020 01:44 PM
I have a sitution where I need to connect to a partner with IPSEC VPN on an existing PIX that has existing site-to-site tunnels to our remote offices. The problem is that the partner also uses 10.x.x.x address internally. I'm struggling to find any documentation to do static NAT with IPSEC tunnels.
The setup is (I have two servers talking to one on the other end:
10.100.1.10 -- MyPIX -----OtherPIX - 200.1.1.10 (other 10.x.x.x internally).
10.100.1.20 -- MyPIX -----OtherPIX - 200.1.1.10 (other 10.x.x.x internally).
I can NAT my addresses to registered IP address (210.1.41.100 and 210.1.41.101 but I'm unsure on the actual config.
If I set up static NATs, do I use the sytax static (inside, outside) - I'm unsure as it will actully go to a VPN tunnel.
When I define the "intereseting traffic" do I use the real or NAT addresses?
Note: I have changed the IP addreses in this example.
04-27-2005 04:15 PM
I also need some doco on VPN tunnels with static NAT on the same PIX. The existing docos are either wrong or very old.
Serhat
04-28-2005 11:55 PM
Here is what you are looking at:
10.x.x.x ---Your PIX-------Internet------Other PIX----10.x.x.x
You can overcome this problem by apllying static nat translations on bothe the ends i.e. :
Your PIX configuration:
access-list 101 permit ip 10.x.x.x 255.255.255.0 192.168.1.0 255.255.255.0
static (inside,outside) 192.168.2.0 access-list 101
What it means is that whenever traffic from your network goes out to 192.168.1.0 then it gets translated to 192.168.2.0.
Other PIX configuration:
access-list 101 permit ip 10.x.x.x 255.255.255.0 192.168.2.0 255.255.255.0
static (inside,outside) 192.168.1.0 access-list 101
What it means is that whenever traffic from your network goes out to 192.168.2.0 then it gets translated to 192.168.1.0
One thing you need to make sure is that you must have a code of 6.3.3 or greater to have this functionality.
Let me know if things are not clear.
Saurav.
05-01-2005 06:43 AM
What Saurav says is correct and note that NAT occurs before encryption so what you define in the access-list for the interesting traffic is going to be the NAT addresses and not the private addresses.
Jatinder
05-01-2005 06:50 AM
What Saurav says is correct. Also note that since encryption occurs after the NAT process so you will have to use the translated (global) addresses in the access-lists for the interesting traffic.
Jatinder
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide