[c-nsp] PIX L2L tunnel and "NAT-before-Ipsec"

Nicolaj Ottsen no at webpartner.dk
Thu Nov 11 17:16:07 EST 2004


Hi,

I need a hint, so naturaly I turn to you :)

Somebody claims that it is posible to translate inside trafic to an
outside Address before sending the trafic through an Ipsec tunnnel. This
is done so the other end can support tunnels from many clients with
identical internal addresses, obviosly smart at the other end, but does
the PIX support this fancy feature ?

Should I just omit the Nat0 access-list and make a specific Nat entry to
force the allowed inside hosts to translate to a separate outside
address ? 
Do I need statics to permit trafic from the other end or will it be
covered by "sysopt connection permit-ipsec" ?

Sniff....

global (outside) 3 5.5.5.5
nat (inside) 3 10.0.0.10 255.255.250.255

access-list outside_cryptomap_202 permit ip host 5.5.5.5 7.7.7.7
255.255.255.0 

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_202
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer 4.4.4.4
crypto map outside_map 20 set transform-set strong
crypto map outside_map 20 set security-association lifetime seconds
28800 kilobytes 50000
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 4.4.4.4 netmask 255.255.255.255 no-xauth
no-config-mode 
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800

Yes, I could just test it myself. But unfortunately that's not a
posibility just now - sorry.

/Nicolaj




More information about the cisco-nsp mailing list