help with NAT for tunnel traffic on 515

[515user]

I have a setup IPSEC/IKE VPN to a peer gateway

I am trying to setup NAT for the network behind the PIX.
My internal network is 192.168.20.x and I would like to NAT this to 172.16.2.x going into the tunnel

192.168.20.x ---PIX --tunnel ----- Peer gateway---- 10.10.10.x

I am trying to NAT all 192.168.20.x address to 172.16.2.x address only for Tunnel traffic to the remote gateway

Looking for help with the NAT/GLOBAL commands

thanks

 

[yizhar]

HI.

Why not use nat 0 (no nat) for the VPN traffic?

access-list nonat permit ip 192.168.20.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list nonat



Anyway, remember that you should allow incoming VPN packets from the outside interface in one of two options:
A. use access-lists/conduit for specific traffic.
B. use the command "sysopt connection permit-ipsec".



Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[webnetwiz]

IPSec does not work well with NAT. That's why when you specify nat 0, you actually disable NAT for the traffic described in the access list