PIX: NAT inside VPN tunnel (515e)

Discussion in 'Cisco' started by Markus Marquardt, Jul 21, 2005.

  1. Hello,

    maybe this is a newbie question, but i was unable to find an answer in
    all the PIX documentation about this - I'm still lacking to have a "big
    picture" how all the services on the pix work together:

    The PIX has one outside interface with a public IP address and one
    inside interface with a private IP address, let's say
    The tunnel should connect the local network with a remote network
    ( Now - for administration reasons - i want to use NAT to
    hide my private network in the VPN tunnel so that the
    other side sees some other address (ie instead.

    My understanding of (static) NAT on the PIX so far is, that it's only
    possible between two interfaces.

    Is it possible to configure this scenario?

    Markus Marquardt, Jul 21, 2005
    1. Advertisements

  2. Yes, and there are two ways to do it:

    1. Policy NAT. Walter has tested that this will work even
    if the connection is initiated from the remote LAN.

    access-list VPN_NAT permit ip [FROM] [TO]
    nat (inside) X access-list VPN_NAT
    global (outside) X [NAT_IP] [MASK]

    (where X is a number, but not 0)

    2. Static NAT, because "nat (inside) 0" will override this
    if you need both NATted and non-NATted VPN accesses.

    static (inside,outside) [NAT_IP] [FROM] netmask

    Check the NAT order table from the below link. Then
    you can select the method that suits you best.

    Jyri Korhonen, Jul 21, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.