Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
383
Views
0
Helpful
1
Replies

Policy NAT over VPN

thult
Level 1
Level 1

‎11-12-2007 08:38 AM - edited ‎02-21-2020 03:22 PM

Pix 525, OS 7.2(3)

I am trying to do the following:

Inside FTP-server 10.1.1.1

Outside NAT-address: 20.1.1.1

Remote Network: 172.16.1.0/24

VPN connection from remote network to outside NAT-adress that should be redirected to inside FTP-server.

I am trying to use the static command like this:

access-list Crypto_map extended permit ip host 20.1.1.1 172.16.1.0 255.255.255.0

access-list FTP_OVER_VPN extended permit IP host 10.1.1.1 172.16.1.0 255.255.255.0

static (inside,outside) 20.1.1.1 access-list FTP_OVER_VPN

The translation just don't work. Are there any better way to do this? I need to use Policy-NAt since i do not want the FTP-server to use the translated address any other time than over the VPN-tunnel.

Labels:
0 Helpful
1 Reply 1

david.barroso
Level 1
Level 1

‎11-15-2007 04:45 AM

I have a similar scenario but in my case I'm specifying the service:

My ssh server: 172.17.3.4

NATted IP: 172.23.133.4

access-list 112 permit tcp host 172.17.3.4 eq ssh object-group EDS_NETS

static (DMZ,outside) tcp 172.23.133.4 ssh access-list 112 0 0

In this case my DMZ network overlapped with another vlan in their side so I natted my host. I am not sure if it is necessary to specify the service to work. Have you checked that you do not have other static matching the host before the policy-based static rule?

0 Helpful
Customers Also Viewed These Support Documents