Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX: NAT inside VPN tunnel (515e)

Reply
Thread Tools

PIX: NAT inside VPN tunnel (515e)

 
 
Markus Marquardt
Guest
Posts: n/a
 
      07-21-2005
Hello,

maybe this is a newbie question, but i was unable to find an answer in
all the PIX documentation about this - I'm still lacking to have a "big
picture" how all the services on the pix work together:

The PIX has one outside interface with a public IP address and one
inside interface with a private IP address, let's say 192.168.0.1/24.
The tunnel should connect the local network with a remote network
(10.0.0.0/24). Now - for administration reasons - i want to use NAT to
hide my private 192.168.0.0/24 network in the VPN tunnel so that the
other side sees some other address (ie 10.1.0.0/24) instead.

My understanding of (static) NAT on the PIX so far is, that it's only
possible between two interfaces.

Is it possible to configure this scenario?

Regards,
Markus
 
Reply With Quote
 
 
 
 
Jyri Korhonen
Guest
Posts: n/a
 
      07-21-2005
Markus Marquardt <(E-Mail Removed)> wrote:

> The PIX has one outside interface with a public IP address
> and one inside interface with a private IP address, let's
> say 192.168.0.1/24. The tunnel should connect the local
> network with a remote network (10.0.0.0/24). Now - for
> administration reasons - i want to use NAT to hide my private
> 192.168.0.0/24 network in the VPN tunnel so that the other
> side sees some other address (ie 10.1.0.0/24) instead.
>
> My understanding of (static) NAT on the PIX so far is,
> that it's only possible between two interfaces.
>
> Is it possible to configure this scenario?


Yes, and there are two ways to do it:

1. Policy NAT. Walter has tested that this will work even
if the connection is initiated from the remote LAN.

access-list VPN_NAT permit ip [FROM] [TO]
nat (inside) X access-list VPN_NAT
global (outside) X [NAT_IP] [MASK]

(where X is a number, but not 0)

2. Static NAT, because "nat (inside) 0" will override this
if you need both NATted and non-NATted VPN accesses.

static (inside,outside) [NAT_IP] [FROM] netmask 255.255.255.255

Check the NAT order table from the below link. Then
you can select the method that suits you best.

http://www.cisco.com/univercd/cc/td/....htm#wp1032129
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Site to site VPn tunnel and VPN tunnel Trouble Cisco 1 08-04-2006 08:09 AM
Site to site VPn tunnel and VPN tunnel Trouble Cisco 0 08-04-2006 04:23 AM
Split Tunnel Blocks http through tunnel but passes http around tunnel a.nonny mouse Cisco 2 09-19-2004 12:10 AM
VPN, from nat without VPN to nat with it Allan Wilson Cisco 1 07-05-2004 10:51 PM
Termination of an IPSec VPN tunnel and a GRE Tunnel on one physical interface. John Ireland Cisco 1 11-11-2003 04:47 PM



Advertisments