VPN and NAT

rodrigo.hernandez · ‎08-18-2006

Is possible NAT a IP address , and the same time , make VPN with that address .

By sample , my customer donn?t want that the ip x.x.x.x was reached from the otre site ( through VPN ) , ELSE , he want that the IP address be know like y.y.y.y . And the y.y.y.y go in the crypto access-list and the nat (0) .

In PIX is possible to make that .

Regards

syediahm · ‎08-19-2006

You simply dont need to put a nat(0) entry for the vpn traffic. Create a 1to1 mapping and use the natted address in the access-list defining interested traffic.

eg

static (inside,outside) y.y.y.y x.x.x.x netmask 255.255.255.255 0 0

access-list 152 permit ip host y.y.y.y

crypto map testmap 52 ipsec-isakmp

crypto map testmap 52 match address 152

crypto map testmap 52 set peer

crypto map testmap 52 set transform-set

Thanks

Syed

mustafa_nbk · ‎09-09-2006

Hi,

If you use static nat as above, this x.x.x.x will not able to translate to any other ip address (real IP Address) for other destination.Instead of making static nat use the dynamic nat as below.

access-list 150 permit ip host x.x.x.x

static(inside,outside) y.y.y.y access-list 150

Thanks,

Mustafa