[c-nsp] PIX: NAT inside a VPN?

Garry gkg at gmx.de
Tue Nov 22 09:44:48 EST 2005


Wolfgang Roth wrote:
>> remote network sets up a VPN to local Pix, but instead of using regular
>> internal IPs, a NATted IP is used (in order to later possibly switch to
>> a different server). Also, if, can an arbitrary IP be used?
> Is it possible to do a NAT on a PIX (7.0.x) inside a VPN? That is,
> it is possible with 6.3(X), but a little bit tricky. We use it here. 
> It should work with 7.0(X) also.
>
> You may use 'static (int1,int2) 1.2.3.4 access-list list-name 0 0' 
> statements to implement this.
Tnx ... tried it, I can enter it using the command line (Java GUI does 
not permit configuring NAT between the same interface)
Only problem is I can't access the NATted address - a ping through the 
VPN to the original address works fine, a ping to the NAT address 
arrives at the Pix ("debug icmp trace" lists the packet with the VPN IP 
and the NAT destination), but I can't seem to get a reply ... I tried 
configuring an ACL to allow outside to inside access from the VPN net to 
the NAT ip, but that didn't help ...

Any idea?


-gg


More information about the cisco-nsp mailing list