[cisco-bba] FW: Static NAT translation over IPSEC tunnel - PIX 6.3
Michael G. Jung
mikej at confluenttech.com
Mon Dec 11 16:43:32 EST 2006
I have several tunnels up and operational on a old PIX-520 running
6.3(4)120
I want to establish a new tunnel, but I want to static xlate my inside
address to a real world address, and have the destination host see my
traffic as sourced from the NAT'd address.
So I've build a access-list for interesting traffic for the tunnel,
built by static and have not specified the interesting traffic in my
NAT-0 access-list that I use for other tunnels. I've turned up debug
crypto isakmp on the pix but I don't see any initiation.
My inside host on interface DMZ is 172.0.255.15 which is NAT'd to
216.26.153.12.
So I want 172.0.255.15 to connect to the remote host 172.30.21.216
presenting itself as sourced from the nat'd address 216.26.153.12.
Here is what I think is relevent.
ip address outside 216.26.153.4 255.255.255.128
ip address dmz 172.0.255.1 255.255.255.0
access-list global-vpn permit ip host 216.26.153.12 host 172.30.21.215
static (dmz,outside) 216.26.153.12 172.0.255.15 netmask 255.255.255.255
0 0
sysopt connection permit-ipsec
crypto ipsec transform-set global-vpn esp-3des esp-md5-hmac
crypto map outside 212 ipsec-isakmp
crypto map outside 212 match address global-vpn
crypto map outside 212 set peer not.my.real.ip
crypto map outside 212 set transform-set global-vpn
crypto map outside interface outside
isakmp enable outside
isakmp key ******** address not.my.real.ip netmask 255.255.255.255
isakmp identity address
isakmp policy 100 authentication pre-share
isakmp policy 100 encryption 3des
isakmp policy 100 hash md5
isakmp policy 100 group 2
isakmp policy 100 lifetime 86400
Any ideas, am I approaching this correctly with the static and not
using nat0 for 216.26.153.12<->172.30.21.215?
Thanks for any suggestions.
--mikej
Michael Jung
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-bba/attachments/20061211/8fe68caf/attachment.html
More information about the cisco-bba
mailing list