cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1143
Views
0
Helpful
4
Replies

Using NAT to nat VPN IP Addresses to internal IPs given out to VPN Client

absolutecraze
Level 1
Level 1

Hi ,

I have an issue which i need some help about. I have users using the Cisco VPN CLient to connect back to our office network when they are out of of the office. The IP Address issued to them by the Cisco Pix when they tunnel in is 192.168.16.x . However , our internal network is using the 192.168.15.0/24 network. They have no issues accessing the internal resources but when they need to access our other servers which is connected via a MPLS line , they are unable to as the ACLS on the MPLS line only allow ip addressses from the 192.168.15.0/24 network to pass through. Getting the counterparts to edit the MPLS will be a total hassle. Therefore is there a way to translate the VPN IP address 192.168.16.x into a 192.168.15.x IP once the users are connected.

Thank you

4 Replies 4

Hi Shaun,

You can NAT the VPN traffic on the PIX.

The configuration will depend on which interface is the MPLS connection.

For example, if the VPN clients terminate on the outside interface, and the MPLS network is reached via the inside interface, then you:

nat (outside) 1 192.168.16.0 255.255.255.0 outside

global (inside) 1 interface

The configuration will change depending on the interfaces.

If both VPN and MPLS are reachable via the outside interface, you can reroute traffic back out the same interface (u-turn) if running 7.x or higher code.

Federico.

If I understand this question, this person wants to NAT the 192.168.16.x addresses to a 192.168.15.x address pool to match the ACL permit rule

on the MPLS routers.

If you do this, you will likely create duplicate addresses.  For example, if you have an internal host with an address of 192.168.15.20 and you have a VPN client that gets NAT'd to the same address, how will traffic be directed to the correct host?

It may be a hassle to do this, but I think a better option is to update the ACL on the MPLS routers.

HTH

Hi Federico ,

If i do it the way you advised , there would be a possibility of causing IP Conflicts in the environment. Is there any way that i can use a pool of defined ip addresses instead, Thank you

Federico provided you with a method that uses Port Address Translation to overload the 192.168.16.x range to the inside interface of the PIX, which has an address in the 192.168.15.x range.  Using this method will not result in a duplication of addresses and will solve your problem with the MPLS ACL.  My response was meant to explain why you would not want to use NAT to translate the 192.168.16.x range into the 192.168.15.x range because you would be at risk of duplicating addresses.

Your VPN clients are less trusted than hosts on your internal network.  From a security standpoint, I think you are better off not hiding the VPN client addresses behind the trusted address of the inside interface of the PIX.

HTH