[c-nsp] PIX: NAT inside a VPN?
Garry
gkg at gmx.de
Tue Nov 22 09:44:48 EST 2005
Wolfgang Roth wrote:
>> remote network sets up a VPN to local Pix, but instead of using regular
>> internal IPs, a NATted IP is used (in order to later possibly switch to
>> a different server). Also, if, can an arbitrary IP be used?
> Is it possible to do a NAT on a PIX (7.0.x) inside a VPN? That is,
> it is possible with 6.3(X), but a little bit tricky. We use it here.
> It should work with 7.0(X) also.
>
> You may use 'static (int1,int2) 1.2.3.4 access-list list-name 0 0'
> statements to implement this.
Tnx ... tried it, I can enter it using the command line (Java GUI does
not permit configuring NAT between the same interface)
Only problem is I can't access the NATted address - a ping through the
VPN to the original address works fine, a ping to the NAT address
arrives at the Pix ("debug icmp trace" lists the packet with the VPN IP
and the NAT destination), but I can't seem to get a reply ... I tried
configuring an ACL to allow outside to inside access from the VPN net to
the NAT ip, but that didn't help ...
Any idea?
-gg
More information about the cisco-nsp
mailing list