Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

help with NAT in a VPN

Status
Not open for further replies.
515user

515user

IS-IT--Management
Oct 19, 2001
8
US
I have a VPN established to another IPSEC device without NAT
partial PIX config is ver 6.1
nat (inside) 0 access-list 101
access-list 101 permit ip 192.168.1.0255.255.255.0 192.168.2.0 255.255.255.0

where 192.168.1.0 is the subnet on the inside of the PIX

how do i NAT a the 192.168.1.0 range to a 172.16.3.0 range
and pass this in the VPN to 192.168.2.0

thanks in advance
 
Sort by date Sort by votes
adding the line:
nat (inside) 1 0.0.0.0 0.0.0.0
will NAT everything on the inside interface
out, EXCEPT, traffic destined to 192.168.2.0 since
that is explicitly turned off in your nat (inside) 0
statement.

You will also have to have a global statement as well
to give it an IP to NAT/PAT on.

i.e. Global (outside) 1 <Diff IP of PIX/IP Range>

Iota
 
Upvote 0 Downvote
Iota,
Could you elaborate
I want to NAT my 192.168.1.0/24 to 172.16.2.0/24 when destined ONLY 192.168.2.0 through the VPN
all encrypted traffic through the VPN for 192.168.2.0 should be as source of 172.16.2.0( not 192.168.1.0)

thanks

 
Upvote 0 Downvote
To the best of my knowledge, it cannot be done that way on the PIX.

NATing takes place when going from a higher to lower access interface and through a VPN, that doesn't occur. Furthermore, you can only have 1 Address Space for your global nat. i.e You cannot NAT to 1 address in subnet A for certain IPS and NAT to another ip address in a subnet B for other IPs. In order to create a 1-1 correspondance, you'd have to create Static mappings, and again, static mappings only work between two interfaces of different access levels--more specifically, traffic traveling from a lower access level to a higher access level.

You would probably have better luck doing it on a router before getting to the PIX/VPN tunnel.

Just curious, but why do you want to NAT througha VPN tunnel when the two sides are on different subnets? Maybe there is a better solution to the problem if you can explain the problem in more details.

Iota
 
Upvote 0 Downvote
Iota,
I have 2 sites with the same internal subnets and was hoping could overcome this by NATing one subnet when going through the VPN.
I was able to accomplish this by replacing one pix with a a 2600 router running IOS 12.1

I was hoping that the PIX could provide me the same NAT features
thanks again
 
Upvote 0 Downvote
HI.

A network diagram will help understanding the issue here.

Anyway, if I get it right, then why not use the registered external (GLOBAL 1) address also for VPN traffic?
That way you don't need nat 0, and you don't have a problem of address conflict if you have a STATIC mapping at the other side for the server you need access to.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
thanks for all your inputs.Here is the setup

LAN(192.168.1.0)-->FW(not a PIX)-->WAN(209.x.x.1)----> 208.x.x.1(WAN)<--PIX<-- LAN (192.168.1.0)

If NAT is not possible on the PIX ,maybe I should try NAT on the other end

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
796
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
714
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
653
intel233
intel233
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
799
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
181
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top