[nsp] PIX NAT with IPSec
Jason Lixfeld
jason at lixfeld.ca
Fri Jul 2 17:32:35 EDT 2004
Assuming the below diagram:
+----+
| H1 | IPSec
+----+ ++==================================++
| || ||
| +------+ +------+
+-------| PIX1 |--------- INTERNET ---------| PIX2 |
+------+ +------+
|
|
B
+----+
| H2
|A-------------------- INTERNET
+----+
H2 has 2 interfaces, A & B. A is connected to the internet, B is
connected to a PIX. The Default Gateway for H2 is via Interface A.
H1 needs to get to H2 over an IPSec tunnel. What I'm looking for
ideally is a way to configure NAT on the PIX so when traffic from H1 to
H2 via the IPSec tunnel is decrypted, it's run through NAT on the PIX
whereby it's source address will then be on the same network as
Interface B on H2. Unless this is possible, H2 will try to send
traffic for H1 back out to the internet which will break. Also, adding
static routes on H2 pointing back to H1 is not an optional workaround.
I haven't found a way to configure the PIX to do NAT based solely on
"outside" interface. All the examples I've found point to the PIX
requiring an "inside" and "outside" interface for NAT.
Thanks in advance for any suggestions...
More information about the cisco-nsp
mailing list