PIX 6.3(5) NAT Headache

Discussion in 'Cisco' started by Darren, Apr 24, 2008.

  1. Darren

    Darren Guest

    Due to some inflexibility on the part of a 3rd party I am faced with
    adding NAT complexity to what was going to be a simple solution (public
    to public VPN).

    My network has a PIX pair running 6.3(5). There are several interfaces
    and lots of NAT, Policy NAT etc. To keep thing simple the point of
    interest are...

    static (inside,outside) 62.X.X.1 172.16.1.1 netmask 255.255.255.255
    static (inside,outside) 62.X.X.2 172.16.1.2 netmask 255.255.255.255

    Originally my crypto-acl was going to use these 2 x public IP's. Now the
    remote end is telling me that they will not do a public to public
    connection and they insist that....

    Their users will come from say 10.1.1.0/24 (on the outside) and will
    target the above hosts 62.X.X.1 & .2 by the address 172.23.1.1 & 2
    respectively.

    So on my PIX I have to say, anything from a source address of
    10.1.1.0/24 targeting a destination address of 172.23.1.1 & .2 NAT to
    the real addresses of 172.16.1.1 & .2.

    My second problem is I may have to modify the source address of the
    traffic (10.1.1.0/24) as the main site I control uses various ranges in
    10.0.0/8. With this in mind I take it I would need outside NAT.

    Any help appreciated here.

    I off to blow the dust off my PIX book now to see if I can find a good
    example or two.

    Regards

    Darren
     
    Darren, Apr 24, 2008
    #1
    1. Advertising

  2. Darren

    networkzman Guest

    Hello Darren,

    we could achive this by adding a no nat access rule.
    eg:

    http://www.cisco.com/warp/public/110/38.html

    Thanks

    Darren wrote:
    > Due to some inflexibility on the part of a 3rd party I am faced with
    > adding NAT complexity to what was going to be a simple solution (public
    > to public VPN).
    >
    > My network has a PIX pair running 6.3(5). There are several interfaces
    > and lots of NAT, Policy NAT etc. To keep thing simple the point of
    > interest are...
    >
    > static (inside,outside) 62.X.X.1 172.16.1.1 netmask 255.255.255.255
    > static (inside,outside) 62.X.X.2 172.16.1.2 netmask 255.255.255.255
    >
    > Originally my crypto-acl was going to use these 2 x public IP's. Now the
    > remote end is telling me that they will not do a public to public
    > connection and they insist that....
    >
    > Their users will come from say 10.1.1.0/24 (on the outside) and will
    > target the above hosts 62.X.X.1 & .2 by the address 172.23.1.1 & 2
    > respectively.
    >
    > So on my PIX I have to say, anything from a source address of
    > 10.1.1.0/24 targeting a destination address of 172.23.1.1 & .2 NAT to
    > the real addresses of 172.16.1.1 & .2.
    >
    > My second problem is I may have to modify the source address of the
    > traffic (10.1.1.0/24) as the main site I control uses various ranges in
    > 10.0.0/8. With this in mind I take it I would need outside NAT.
    >
    > Any help appreciated here.
    >
    > I off to blow the dust off my PIX book now to see if I can find a good
    > example or two.
    >
    > Regards
    >
    > Darren
     
    networkzman, Apr 25, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tin Ngo-Minh

    Sp2 + wifi: new headache

    Tin Ngo-Minh, Nov 13, 2004, in forum: Wireless Networking
    Replies:
    2
    Views:
    669
  2. Shawn Westerhoff

    Re: PIX 501 configuration headache

    Shawn Westerhoff, Oct 15, 2003, in forum: Cisco
    Replies:
    0
    Views:
    522
    Shawn Westerhoff
    Oct 15, 2003
  3. 05hammer

    ACL Headache

    05hammer, May 16, 2005, in forum: Cisco
    Replies:
    5
    Views:
    1,951
  4. Boris Badenuff

    Slackware 7.0 FIPS headache

    Boris Badenuff, Jul 22, 2003, in forum: Computer Support
    Replies:
    6
    Views:
    796
    Boris Badenuff
    Jul 24, 2003
  5. Ad

    Cisco 837 headache

    Ad, May 12, 2006, in forum: Cisco
    Replies:
    4
    Views:
    631
Loading...

Share This Page