PIX: NAT inside VPN tunnel (515e)

Discussion in 'Cisco' started by Markus Marquardt, Jul 21, 2005.

  1. Hello,

    maybe this is a newbie question, but i was unable to find an answer in
    all the PIX documentation about this - I'm still lacking to have a "big
    picture" how all the services on the pix work together:

    The PIX has one outside interface with a public IP address and one
    inside interface with a private IP address, let's say 192.168.0.1/24.
    The tunnel should connect the local network with a remote network
    (10.0.0.0/24). Now - for administration reasons - i want to use NAT to
    hide my private 192.168.0.0/24 network in the VPN tunnel so that the
    other side sees some other address (ie 10.1.0.0/24) instead.

    My understanding of (static) NAT on the PIX so far is, that it's only
    possible between two interfaces.

    Is it possible to configure this scenario?

    Regards,
    Markus
     
    Markus Marquardt, Jul 21, 2005
    #1
    1. Advertisements

  2. Yes, and there are two ways to do it:

    1. Policy NAT. Walter has tested that this will work even
    if the connection is initiated from the remote LAN.

    access-list VPN_NAT permit ip [FROM] [TO]
    nat (inside) X access-list VPN_NAT
    global (outside) X [NAT_IP] [MASK]

    (where X is a number, but not 0)

    2. Static NAT, because "nat (inside) 0" will override this
    if you need both NATted and non-NATted VPN accesses.

    static (inside,outside) [NAT_IP] [FROM] netmask 255.255.255.255

    Check the NAT order table from the below link. Then
    you can select the method that suits you best.

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1032129
     
    Jyri Korhonen, Jul 21, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.