PIX: NAT inside VPN tunnel (515e)

Discussion in 'Cisco' started by Markus Marquardt, Jul 21, 2005.

  1. Hello,

    maybe this is a newbie question, but i was unable to find an answer in
    all the PIX documentation about this - I'm still lacking to have a "big
    picture" how all the services on the pix work together:

    The PIX has one outside interface with a public IP address and one
    inside interface with a private IP address, let's say 192.168.0.1/24.
    The tunnel should connect the local network with a remote network
    (10.0.0.0/24). Now - for administration reasons - i want to use NAT to
    hide my private 192.168.0.0/24 network in the VPN tunnel so that the
    other side sees some other address (ie 10.1.0.0/24) instead.

    My understanding of (static) NAT on the PIX so far is, that it's only
    possible between two interfaces.

    Is it possible to configure this scenario?

    Regards,
    Markus
    Markus Marquardt, Jul 21, 2005
    #1
    1. Advertising

  2. Markus Marquardt <> wrote:

    > The PIX has one outside interface with a public IP address
    > and one inside interface with a private IP address, let's
    > say 192.168.0.1/24. The tunnel should connect the local
    > network with a remote network (10.0.0.0/24). Now - for
    > administration reasons - i want to use NAT to hide my private
    > 192.168.0.0/24 network in the VPN tunnel so that the other
    > side sees some other address (ie 10.1.0.0/24) instead.
    >
    > My understanding of (static) NAT on the PIX so far is,
    > that it's only possible between two interfaces.
    >
    > Is it possible to configure this scenario?


    Yes, and there are two ways to do it:

    1. Policy NAT. Walter has tested that this will work even
    if the connection is initiated from the remote LAN.

    access-list VPN_NAT permit ip [FROM] [TO]
    nat (inside) X access-list VPN_NAT
    global (outside) X [NAT_IP] [MASK]

    (where X is a number, but not 0)

    2. Static NAT, because "nat (inside) 0" will override this
    if you need both NATted and non-NATted VPN accesses.

    static (inside,outside) [NAT_IP] [FROM] netmask 255.255.255.255

    Check the NAT order table from the below link. Then
    you can select the method that suits you best.

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1032129
    Jyri Korhonen, Jul 21, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,066
  2. Anand Mohabir
    Replies:
    1
    Views:
    1,073
    Johnny Routin
    Oct 22, 2004
  3. Replies:
    0
    Views:
    2,335
  4. Replies:
    11
    Views:
    1,502
  5. =?iso-8859-2?Q?S=B3awek?=

    Cisco PIX 515E and Linksys WRV 200 VPN Tunnel

    =?iso-8859-2?Q?S=B3awek?=, Nov 28, 2006, in forum: Cisco
    Replies:
    1
    Views:
    473
    =?iso-8859-2?Q?S=B3awek?=
    Dec 11, 2006
Loading...

Share This Page