Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
0
Helpful
3
Replies

PIX v6.3 Site to Site with Policy NAT

Go to solution
Robin Olofsson
Level 1
Level 1

‎11-12-2013 09:50 AM

Hi guys,

I need to set up a site to site with nat because we have overlapping subnet on the other end.

They need to access two servers on our network with static IPs.

Site A: 192.168.100.0/24

Site B: 192.168.200.128/25

The other site has picked this network for NAT: 10.200.50.0/28

I need to translate

192.168.100.10 > 10.200.50.2

192.168.100.20 > 10.200.50.3

through the tunnel

This is what I've done so far, will this work? Any problem that could appear with this config?

Crypto ACL:

access-list VPN permit ip 10.200.50.0 255.255.255.240 192.168.200.128 255.255.255.128

access-list Policy_NAT1 permit ip host 192.168.100.10 192.168.200.128 255.255.255.128

access-list Policy_NAT2 permit ip host 192.168.100.20 192.168.200.128 255.255.255.128

nat (inside) 10 access-list Policy_NAT1 0 0

nat (inside) 11 access-list Policy_NAT2 0 0

global (outside) 10 10.200.50.2

global (outside) 11 10.200.50.3

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-12-2013 10:00 AM

Hi,

Your configuration seems fine.

Though I guess its a Dynamic Policy NAT/PAT configuration.

Incase you wanted to configure Static Policy NAT you would have to change it a bit. I mean if you wanted a NAT configuration that would enable bidirectional connection forming. Both from your site to the remote site and from the remote site to your side. You could still use the same ACLs you have configured but you would be using them in "static" configurations.

static (inside,outside) 10.200.50.2 access-list Policy_NAT1

static (inside,outside) 10.200.50.3 access-list Policy_NAT2

The consideration with both the Static Policy NAT and Dynamic Policy NAT/PAT would be that if these hosts have Static NAT configured to the direction of the "outside" interface then that Static NAT would override both of these configurations.

If you were using Dynamic Policy NAT and had a Static NAT also for the host then you would have to change to using the above mentioned Static Policy NAT to be able to override the Static NAT.

And with the above in mind the possible existing Static NAT and new Static Policy NAT might have some problems together also. In that case the ordering of the NAT rules would determine if the Static Policy NAT was ever applied. If you had the Static NAT configured already then it would override the new Static Policy NAT. The solution would be to remove the Static NAT and enter it again. This would move the Static NAT after the Static Policy NAT in the order they show up on the CLI format configuration and therefore Static Policy NAT would work for the destination addresses specified and the Static NAT for all the other destination addresses.

Hope I made any sense

Feel free to ask more if needed though

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-12-2013 10:00 AM

Hi,

Your configuration seems fine.

Though I guess its a Dynamic Policy NAT/PAT configuration.

Incase you wanted to configure Static Policy NAT you would have to change it a bit. I mean if you wanted a NAT configuration that would enable bidirectional connection forming. Both from your site to the remote site and from the remote site to your side. You could still use the same ACLs you have configured but you would be using them in "static" configurations.

static (inside,outside) 10.200.50.2 access-list Policy_NAT1

static (inside,outside) 10.200.50.3 access-list Policy_NAT2

The consideration with both the Static Policy NAT and Dynamic Policy NAT/PAT would be that if these hosts have Static NAT configured to the direction of the "outside" interface then that Static NAT would override both of these configurations.

If you were using Dynamic Policy NAT and had a Static NAT also for the host then you would have to change to using the above mentioned Static Policy NAT to be able to override the Static NAT.

And with the above in mind the possible existing Static NAT and new Static Policy NAT might have some problems together also. In that case the ordering of the NAT rules would determine if the Static Policy NAT was ever applied. If you had the Static NAT configured already then it would override the new Static Policy NAT. The solution would be to remove the Static NAT and enter it again. This would move the Static NAT after the Static Policy NAT in the order they show up on the CLI format configuration and therefore Static Policy NAT would work for the destination addresses specified and the Static NAT for all the other destination addresses.

Hope I made any sense

Feel free to ask more if needed though

- Jouni

0 Helpful

Go to solution
Robin Olofsson
Level 1
Level 1
In response to Jouni Forss

‎11-20-2013 08:27 AM

Hi Jouni,

Sorry for the late reply, everything worked properly so i forgot about the thread! :-)

Thank you very much though, I made the change for the nat to static as you said. And it works!

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Robin Olofsson

‎11-20-2013 08:31 AM

Hi,

Thank you for informing us how it went.

Great to hear it worked

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents