[c-nsp] PIX L2L tunnel and "NAT-before-Ipsec"
Brian Feeny
signal at shreve.net
Thu Nov 11 21:11:54 EST 2004
Nicolaj,
Here is a solution to how this can be done:
http://www.cisco.com/en/US/tech/tk583/tk372/
technologies_configuration_example09186a00800949f1.shtml
Best of luck,
Brian
On Nov 11, 2004, at 4:16 PM, Nicolaj Ottsen wrote:
> Hi,
>
> I need a hint, so naturaly I turn to you :)
>
> Somebody claims that it is posible to translate inside trafic to an
> outside Address before sending the trafic through an Ipsec tunnnel.
> This
> is done so the other end can support tunnels from many clients with
> identical internal addresses, obviosly smart at the other end, but does
> the PIX support this fancy feature ?
>
> Should I just omit the Nat0 access-list and make a specific Nat entry
> to
> force the allowed inside hosts to translate to a separate outside
> address ?
> Do I need statics to permit trafic from the other end or will it be
> covered by "sysopt connection permit-ipsec" ?
>
> Sniff....
>
> global (outside) 3 5.5.5.5
> nat (inside) 3 10.0.0.10 255.255.250.255
>
> access-list outside_cryptomap_202 permit ip host 5.5.5.5 7.7.7.7
> 255.255.255.0
>
> sysopt connection permit-ipsec
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto map outside_map 20 ipsec-isakmp
> crypto map outside_map 20 match address outside_cryptomap_202
> crypto map outside_map 20 set pfs group2
> crypto map outside_map 20 set peer 4.4.4.4
> crypto map outside_map 20 set transform-set strong
> crypto map outside_map 20 set security-association lifetime seconds
> 28800 kilobytes 50000
> crypto map outside_map interface outside
> isakmp enable outside
> isakmp key ******** address 4.4.4.4 netmask 255.255.255.255 no-xauth
> no-config-mode
> isakmp identity address
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash sha
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 28800
>
> Yes, I could just test it myself. But unfortunately that's not a
> posibility just now - sorry.
>
> /Nicolaj
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
---------------------------------------------
Brian Feeny, CCIE #8036, CISSP
Network Engineer
ShreveNet Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20041111/63cfb905/PGP.bin
More information about the cisco-nsp
mailing list