Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
315
Views
0
Helpful
3
Replies

Using NAT on PIX to hide VPN pools on Concentrator behind PIX inside int.

charlotteg
Level 1
Level 1

‎04-04-2003 08:09 AM - edited ‎02-21-2020 12:27 PM

I am wanting to NAT all outgoing VPN traffic to the Internet for our VPN addressing pools, approximately 13 /24s. I would like the PIX outside interface to be what the internet users see if possible. Is this possible, or must I use another IP? Also, would this be the correct syntax for implementation or am I completely off?

ip address outside 10.10.10.1 255.255.255.248

ip address inside 10.20.10.1 255.255.255.248

static (inside,outside) 10.10.10.1 10.40.0.0 netmask 255.255.248.0

route inside 10.40.0.0 255.255.248.0 10.20.10.2 1

Labels:
0 Helpful
3 Replies 3

charlotteg
Level 1
Level 1

‎04-04-2003 11:29 AM

Just wanted to make a revision to what I posted. From research I think I'm looking at using PAT, rather than NAT. But I don't want to PAT everything to the Internet only specific networks. All the examples I find for PAT use a global statement for the PAT address or interface and this is applied to everything going out. I am now looking at using a free ip in the outside interface network for PAT rather than the outside address. Does anyone have an example on implementing this?

0 Helpful

mostiguy
Level 6
Level 6
In response to charlotteg

‎04-07-2003 05:38 AM

You appear to have some confusion with your NAT and PAT needs. Your OP has a static command that directly maps all of your internal space to an outside space. This static command statement would typically be found in an environment where there is no nat being used at all - nat 0.....

If you do want/need to use NAT/PAT, look at the nat and global statements. You can set up multiple global pools and have various netblocks number them:

x.x.1.0 is end user pcs. we want to PAT them to one ip

x.x.2.0 is a collection of machines for which we want to use nat

global (outside) 1 x.x.3.1 netmask 255.255.255.0

global (outside) 2 x.x.3.2-x.x.3.20 netmask 255.255.255.0

nat (inside) 1 x.x.1.0 255.255.255.0

nat (inside) 2 x.x.2.0 255.255.255.0

So, we successfully use PAT(1 global ip) for the x.x.1.0 /24, and NAT (19 ips) for the x.x.2.0 /24.

Matt

0 Helpful

charlotteg
Level 1
Level 1
In response to mostiguy

‎04-07-2003 05:57 AM

Yes, I was using the wrong statements. We are not running NAT and do use static statements for all networks. Now, we need use PAT for a specific network on our inside going to the outside. I tried implementing PAT by entering the following commands:

no static (inside,outside) x.x.1.0 x.x.1.0 netmask 255.255.255.0

global (outside) 1 x.x.2.1 netmask 255.255.255.255

nat (inside) 1 x.x.1.0 255.255.255.0 0 0

When this was done, people from the x.x.1.0/24 network could not go to the Internet. From what I read, this should have worked. We are running software version 6.2(2). I guess I will search bugs and open a TAC case unless anyone has any more suggestions.

0 Helpful
Customers Also Viewed These Support Documents