[cisco-bba] FW: Static NAT translation over IPSEC tunnel - PIX 6.3

Michael G. Jung mikej at confluenttech.com
Mon Dec 11 16:43:32 EST 2006


 
I have several tunnels up and operational on a old PIX-520 running
6.3(4)120
 
I want to establish a new tunnel, but I want to static xlate my inside
address to a real world address, and  have the destination host see my
traffic as sourced from the NAT'd address.
 
So I've build a access-list for interesting traffic for the tunnel,
built by static and have not specified the interesting traffic in my
NAT-0 access-list that I use for other tunnels.   I've turned up debug
crypto isakmp  on the pix but I don't see any initiation.
 
My inside host  on interface DMZ is 172.0.255.15 which  is NAT'd to
216.26.153.12.
 
So I want 172.0.255.15 to connect to the remote host 172.30.21.216
presenting itself as sourced from the  nat'd address 216.26.153.12.
 
Here is what I think is relevent.
 
ip address outside 216.26.153.4 255.255.255.128
ip address dmz 172.0.255.1 255.255.255.0 
 
access-list global-vpn permit ip host 216.26.153.12 host 172.30.21.215

 
static (dmz,outside) 216.26.153.12 172.0.255.15 netmask 255.255.255.255
0 0

sysopt connection permit-ipsec

 
crypto ipsec transform-set global-vpn esp-3des esp-md5-hmac

crypto map outside 212 ipsec-isakmp
crypto map outside 212 match address global-vpn
crypto map outside 212 set peer not.my.real.ip 
crypto map outside 212 set transform-set global-vpn

crypto map outside interface outside
 
isakmp enable outside
isakmp key ******** address not.my.real.ip netmask 255.255.255.255
isakmp identity address

isakmp policy 100 authentication pre-share
isakmp policy 100 encryption 3des
isakmp policy 100 hash md5
isakmp policy 100 group 2
isakmp policy 100 lifetime 86400

 
 Any ideas, am I approaching this correctly with the static and not
using nat0 for 216.26.153.12<->172.30.21.215?
 
Thanks for any suggestions.
 
--mikej
Michael Jung
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-bba/attachments/20061211/8fe68caf/attachment.html 


More information about the cisco-bba mailing list