Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Nat inside VPN Tunnel with Pix 1

Status
Not open for further replies.
Maxwell2005

Maxwell2005

IS-IT--Management
Apr 7, 2005
4
0
0
AT
Hy,

i have the follwing problem. Between two of our customers we have a VPN Tunnel built up.
Customer A has an official IP adresses from his provider which is say 172.0.0.0
So his internal LAN gets Natted to this number.
Customer B needs Customer A to arrive inside the VPN with another IP-Adress.

So is it possible to configure a "second" NAT which only is used inside a specific VPN tunnel ?
And if yes could you please post some example config lines how this works ?

Thanks for your help

Maxwell
 
Sort by date Sort by votes
To make my above post a bit clearer as it seems to me now:

Customer A private IP in LAN 172.0.0.0
Cusotmer A official IP Outside (Nat 1) 196.0.0.0
Customer A in VPN to Customer B (Nat 2) 121.0.0.0

I have no idea how to configure the Nat 2

Maxwell
 
Upvote 0 Downvote
I posted this today in comp.dcom.sys.cisco.

You can NAT to a different address using a NAT and Global that matches an
ACL. For example,

If your external address was 1.2.3.4 but you wanted to NAT traffic from the
192.168.204.0 /24 network going to 10.20.30.40 global address over a VPN to
1.2.3.5 then you would do something like;

access-list jiggypuff permit ip 192.168.204.0 255.255.255.0 host 10.20.30.40

nat (inside) 2 access-list jiggypuff
global (outside) 2 1.2.3.5 - 1.2.3.5

You might also have something like;

nat (inside) 1 192.168.204.0 255.255.255.0
global (outside) 1 interface.

So traffic going out to the internet would be NATed to the outside pix
addres (1.2.3.4) and traffic going over the VPN to 10.20.30.40 would be
NATed to 1.2.3.5.
Click to expand...

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
Also be aware that if you need to implement a VPN tunnel using a NATed address you need to configure NAT-Traversal, (UDP over IPSec) to get traffic to work

Gungnir77
CCNP, Advanced Security team at Cisco TAC
 
Upvote 0 Downvote
Gungnir,

What's the command to configure that? I presume that it must be on by default as I configured a VPN using NAT last week and didn't have to configure NAT-T.

Thanks,

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
NAT is not the same as NAT-T. NAT Traversal is also disabled by default. This will turn it on:

isakmp nat-traversal 20

<20> is the nat keepalive, set it higher or lower as you desire.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
146
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
161
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
150
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
72
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
175
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top