PIX 506e VPN Tunnel - Can This Be Done

Discussion in 'Cisco' started by darrenfgreen, May 1, 2007.

  1. darrenfgreen

    darrenfgreen Guest


    I have to set up a site-to-site VPN, standard stuff really.
    However.... on my remote PIX I have been asked not to enable the NAT
    or Global commands.

    The PIX has a /29 address on its inside interface and a
    public IP address on it's outside interface. My crypto ACL's permit
    traffic from this LAN to a remote LAN. The PIX then tunnels the
    traffic to the remote firewall peer (another PIX).

    Ordanarily I would have nonat statements in my config but not so in
    this case. The PIX will not provide any Internet connectivity, it is
    simply there to provide this 1 x VPN connection.

    Is this valid. I aim to lab it up tomorrow but my curiosity is getting
    the better of me.


    darrenfgreen, May 1, 2007
    1. Advertisements

  2. In PIX 6, in order for inside traffic to get out, one of the
    following must be configured:

    - nat 0 access-list
    - a static IP
    - static PAT
    - nat non-0 with an access-list
    - nat 0 (without an access-list), or a nat/global pair

    (The above is highest priority to lowest)

    If you cannot (for whatever obscure reasons) use 'nat' or 'global'
    statements in the configuration, then you will need to use
    'static' in order to provide the necessary address translation
    for inside traffic heading out. This is true even for VPN traffic:
    the VPN portion of it will not be considered until after address
    translation has been processed, and if you have no address
    translation then the packets will not reach the VPN layer.

    Unfortunately, you cannot static an entire IP address to the
    interface IP (you need a second public IP if you want to static
    an entire internal IP.) Therefor, in order to meet your
    constraints, you will have to use static PAT,

    static (inside,outside) tcp interface PORT INTERNALIP PORT netmask
    static (inside,outside) udp interface PORT INTERNALIP PORT netmask

    You will not be able to get icmp or any protocol other than TCP or UDP
    to translate in this situation.
    Walter Roberson, May 2, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.