ipsec source nat with cisco pix 506

[go4now]

I was asked to established a vpn tunnel using the followong spes:

=> Phase 1: Key Exchange
=> IKE Phase1 (key exchange) encryption type: 3DES
=> IKE Phase1 (Data integrity) hashing algorithm: SHA
=> IKE Phase1 (Diffie-Hellman group): Group 2

=> Phase 2: IPSec Tunnel Creation
=> IPsec Phase2 (encapsulation) ESP
=> IPsec Phase2 (data encryption) 3DES
=> IPsec Phase2 (data integrity) hashing algorithm MD5
=> Authentication: Pre Share Key

so far nothing special but it is required to have a special source network address
like 10.0.170.0 but i'm using a different internal network address like 10.0.5.0 means
that it is required to NAT my source address prior to the VPN tunnel.

I didnt found any description or config samples for this, anybody knows if this
is possible and how ?

Many thx
Matt.

 

[TLS82]

I'm currently working to establish a similar site-to-site vpn where I'll be using a machine on the DMZ that has an internal address that is NATed to a public address. The connection will be from my PIX to something else on the other side.
I found a cisco document on this here :

http://www.cisco.com/en/US/tech/tk5...figuration_example09186a00800949f1.shtml#diag

So it seems like the IPsec tunnel should have no problem whatsoever handling the NATed traffic. IPsec-wise the relevant IP information is that of the tunnels end points, in my case the PIX and whatever terminates the tunnel on the other end, which are static, the important thing I think is to make sure the PIX marks the traffic as interesting.

Let me know how your config is going as I still won't be able to test mine for a while.

Tiago