NATing with private network in VPN

[ytreza]

Hi all,

XXXX-server I -XXXX
XX 192.168.110.8 XX
XXXXXXXXXXXXXXXXXXX
|
|
PIX 6.3.1
|
|
|
cisco concentrator 3.6.7
|
|
XXXX-server II -XXX
XX 10.128.205.77 XX
XXXXXXXXXXXXXXXXXXX


The "server I" has to reach the "server II" via a VPN established from the PIX to the concentrator.

The "server I" must be nat into an IP in the "remote"
network 10.128.205.x. ( I can not use the public IP of the server I for the VPN ! )

On the pix side, is it possible to make such a nat before
"entering" the VPN sothat the 2 servers can see themselves ?


Thanks in advance

Bye


Chris

 

[tbissett]

You can do a NAT to anything before going through the VPN on the PIX. However, there's a catch: If that NATed IP address is a 10.x address as your diagram suggests, the NATed host (server I) would not be able to access the Internet because to the outside world, it would appear to have a 10.x address.

Luckily, there is more than one way to do this. Here's how I would do it:
1) On the PIX end, specify NAT 0 for Server I when it's going through the VPN to 10.x addresses. The address will come through the tunnel "appearing" as 192.168.110.8. Here's what the commands would look like:

access-list nonat permit ip host 192.168.110.8 host 10.128.205.77
nat 0 access-list nonat

What this is basically saying is "Use NAT for everything EXCEPT when host 192.168.110.8 needs to talk to 10.128.205.77. If that's the case, don't NAT the address."

2) Since your VPn concentrator is ver. 3.6.7, you can do NATs on inbound traffic. Set the concentrator to NAT this 192.168.110.68 address to a 10.x.x.x address.

Here's the Cisco doc that explains how to do that part:

http://www.cisco.com/warp/public/471/config_vpn_3k_site.html

There are other ways to do it. Also look into using the PIX EzVPN feature to make the PIX like a hardware client to the concentrator. I just happen to like the way I mentioned above a little better.

 

[ytreza]

Thanks to tbissett, it works !

bye

Chris