Policy NAT, Outside NAT & IPSec issue

ccsmith · ‎12-31-2003

We have a client with a 3 node frame network and a client based VPN terminating on a 3005. The client is trying to establish a pix-to-pix vpn to one of their clients to support an app on a single host. We've established the VPN's and it works fine. But now the client wants to scale up towards approximately 50 site-to-site VPN's for their customer base over the next year. We are trying to get a PAT to work over the VPN that is different from the PAT that goes out to the internet. We believe with this type of estimated growth that we will most likely have to implement an Outside or Bi-directional NAT since some of the remote clients will eventually have ip blocks that overlap.

Is anyone else running a scenario like this? We feel that we could probably handle this with a router between the internal network and the PIX that could handle the Policy NAT before handing the traffic to the PIX. We're hoping there is a way to handle it directly on the PIX. But if anyone has any suggestions, please send them. There haven't been many articles on this.

Thank you,

Chris Smith

murabi · ‎01-08-2004

Take a look at the following URL whcih shows how to configure Policy NAT on PIX, http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#1113601.

ccsmith · ‎01-08-2004

Thanks for the link. We had looked at this one before posting. It does describe exactly how to perform an Outside NAT, but none of the examples show how to implement it through an IPSec VPN. We tried it a couple of different ways in a lab, but couldn't get it to work through the vpn.