Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
199
Views
0
Helpful
1
Replies

Using NAT on a vpn tunnel

sbantz
Level 1
Level 1

‎10-07-2004 05:34 AM - edited ‎02-21-2020 01:23 PM

I have set up a few fw to fw vpns with success on my PIX 515 using address identity and pre-shared key. Now, I have run into a problem. We have a vendor that needs to access one of our private servers over a fw-fw vpn. The problem is, the private IP of the server is already in use by another customer they support. I know I am going to have to NAT to make this work. How do I go about setting this up?

Thanks in advance for any pointers.

Labels:
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎10-07-2004 03:55 PM

This is a management nightmare, but can be done. It is similar to this sample config showing how to do it using IOS routers:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

Don't have a sample for PIX-PIX, but the concept is the same. Let's say you have hosts 10.1.1.1 at both SiteA and SiteB, and they need to talk to each other. When SiteA wants to connect to SiteB they would connect to 11.1.1.1. When SiteB talks to SiteA they would talk to 12.1.1.1. The PIX is actually better than the routers for this because you can use the policy-NAT feature that came in in 6.3(2) to NAT the traffic going over the tunnel.

SiteA's config would look something like this:

access-list crypto permit ip 11.0.0.0 255.0.0.0 12.0.0.0 255.0.0.0

access-list policynat permit ip 10.0.0.0 255.0.0.0 12.0.0.0 255.0.0.0

static (inside,outside) 11.0.0.0 access-list policynat netmask 255.0.0.0

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 set peer SiteB

crypto map mymap 10 match address crypto

Access-list "policynat" says that any traffic going from 10.0.0.0 to 12.0.0.0 will be NAT'd to 11.0.0.0. Access-list "crypto" then says that traffic from 11.0.0.0 to 12.0.0.0 will be sent over the tunnel. Remember that NAT happens BEFORE encryption, so this works fine. You would have a standard nat/global still for your Internet access.

When someone at SiteA pings 12.1.1.1, this will be routed to the PIX, the source will NAT'd to 11.1.1.1, and it will be sent over the tunnel. The PIX at SiteB now needs to turn the destination to a 10.0.0.0 address, so its config is as follows:

access-list crypto permit ip 12.0.0.0 255.0.0.0 11.0.0.0 255.0.0.0

access-list policynat permit ip 10.0.0.0 255.0.0.0 11.0.0.0 255.0.0.0

static (inside,outside) 12.0.0.0 access-list policynat netmask 255.0.0.0

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 set peer SiteA

crypto map mymap 10 match address crypto

The host at SiteB will receive the packet from 11.1.1.1, when it rpelies this will be sent back to the PIX at SiteB, which will NAT the source back to 12.1.1.1 and send it over the tunnel.

As I said, this is a nightmare, particularly for your users as they have to be taught what host to connect to. Usually you can do this simply by adding local DNS entries for the appropriate hosts and IP addresses.

0 Helpful
Customers Also Viewed These Support Documents