Can you NAT traffic to go down a vpn?

[chicocouk]

I've got a vpn between a cisco 3000 series vpn concentrator and a pix 501 firewall. The internal range behind my concentrator is 10.0.0.0/16 and the internal range behind my pix is 10.2.1.0/24.

On the concentrator there's a feature called "LAN to LAN tunnel NAT rules". Using this, I can set the concentrator up so that to the pix it looks like the internal range behind my concentrator is 20.0.0.0/16. In other words, if your on the internal network behind the pix, if you ping 20.0.0.66 down the tunnel, you'll get a reply from the box I have sitting on 10.0.0.66. So it's NAT-ing traffic that goes down the tunnel one way.

What I want to know is, can I also do this on the pix? Can the pix NAT traffic that's to go down the vpn? Effectively I want to be able to have the network behind the pix present itself to my concentrator network as 10.5.1.0, eg if i ping 10.5.1.10 from my concentrator internal network, i'll get a reply from the machine sitting on 10.2.1.0

Is this possible?

Can anyone even understand my (very bad) description of the situation?

Thanks

Iain

 

[dopehead]

Sure just configure a static that is netwide like so
static (inside,outside) 10.2.1.0 10.5.1.0 netmask 255.255.255.255 0 0

Jan

Network Systems Engineer
CCNA/CQS

 

[chicocouk]

Hi,

Thanks for the thought, but that won't work. To clarify a bit further, there's a split tunnel, if you like, a vpn to a remote site, then also access to the internet. Internet traffic is PAT-ed on the outside interface. The problem is how to ALSO NAT traffic intended to go down the vpn. I'm not clear if this is possible or not, I can find no documentation on cisco's website as to how to do it.

Thanks

Chico

 

[dtabera]

I have never done this, but my opinion is that you should also exclude traffic from 10.2.1.0 to 20.0.0.0 from the 'no-nat' proccess, that is, in 'inside_outbound_nat0_acl' supress the line with that source and destination. If you use PDM, when constructing the IPSec rules this line in the acl is configured by default. And, as the crypto process is done after natting, in the crypto map the source must be 10.5.1.0 and destination 20.0.0.0.

D.

 

[themut]

Previous to 6.3(3) you would not be able to acieve this task since you were only able to NAT based on source and not on destination. With 6.3(3) you are able to configure policy NAT. In a nutshel... you configure the PIX to NAT trafic destined to 20.0.0.X and if it goes to the Internet then it uses a diferent NAT rule. Click on the link below for information on policy NAT:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113601

 

[chicocouk]

Sorry to take so long to get back to this, but none of these suggestions so far will work.

You use nat exemption (a nat 0 command, NOT identity nat) to make exclude traffic that goes down a vpn from being nat-ed. In that way you can ping from end to end, from a client on the local network to a client on the destination network, and it goes down the vpn.

With this in place it takes precedence over both static and policy nat rules.

I don't think this can be done, i've yet to find a working config that shows how it can be achieved. Oh well, hopefully it will come in as a feature in future.