Help with policy based nating

[matheisj]

I need some help configuring a policy based nat on a pix 501. I currently have the vpn up and running through a static nat. But I know that isn't right. My local lan is 192.168.97.0/24 and I need to nat it to 10.172.38.176/28, but through the VPN.

Any help would be nice.

Thanks

Jeremy

 

[Supergrrover]

Nat and policy Nat are for ip/port redirection inbound and outbound on interfaces, not much with vpn's. What are you trying to accomplish?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[matheisj]

I have a hospital I am connecting a VPN to they only allow certain traffic in. They gave me a range of 10.172.38.176/28 to nat my local subnet to, of which is 192.168.97.0/24.

I currently have the vpn working but just through a static host to host nat. Which is not the right way to do it I don't think.

I want to be able to nat my local subnet to the subnet the hospital assigned to me only on that vpn policy though.

I know it can be done. I am not a big cisco guy though.

thanks for the help

Jeremy

 

[matheisj]

I was told I would have to do access list nating which I am not able to do. I can set up a regular VPN on a pix and that is it.

 

[horus42]

First you need to create an access rule

access-list NAT-VPN permit ip 192.168.97.0 255.255.255.0 their_IP-Range 255.255.255.0

nat (inside) 3 access-list NAT-VPN 0 0
global (outside) 3 10.172.38.176-10.172.38.190


Please note that policy NAT doesn't support certain traffic,

For more info see this;

http://www.cisco.com/en/US/products..._guide_chapter09186a0080172786.html#wp1161275

 

[matheisj]

What aobut the cyrpto, would I have to change anything there.

Thanks

Jeremy

 

[horus42]

The only thing that you might have to change would be if you disabled NAT for this traffic, you need to enable it.