Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
0
Helpful
1
Replies

VPN - proxy public address for NAT

Phil Williamson
Level 1
Level 1

‎12-21-2009 09:19 AM

I have a /29 public block on a PIX515

A partner says I must proxy/NAT one of the public IPs in the tunnel instead of the internal private addresses

Do I just need the additional global and a static NAT for the tunnel?

Labels:
0 Helpful
1 Reply 1

Ivan Martinon
Level 7
Level 7

‎12-21-2009 11:20 AM

You would need to use policy nat/static nat in order to differentiate when traffic will use that IP address only when going to the tunnel, something like

access-list VPN permit ip

static (inside,outside) Y.Y.Y.Y acces-list VPN

and the crypto map will use that Y.Y.Y.Y as the source of the vpn traffic.

Now one little catch here, if you are going to use a single ip address, then PAT is required and the config will change, causing this not being bidirectional (only replies to traffic from your inside network will come back, not traffic originated from the remote network) for PAT use

access-list VPN permit ip

nat (inside) X access-list VPN

global (outside) X Y.Y.Y.Y

hth

Ivan

0 Helpful
Customers Also Viewed These Support Documents