[c-nsp] PIX: NAT inside a VPN?

Wolfgang Roth Wolfgang.Roth at brave.de
Tue Nov 22 10:05:49 EST 2005


>> You may use 'static (int1,int2) 1.2.3.4 access-list list-name 0 0'
>> statements to implement this.
> Tnx ... tried it, I can enter it using the command line (Java GUI does
> not permit configuring NAT between the same interface)
> Only problem is I can't access the NATted address - a ping through the
> VPN to the original address works fine, a ping to the NAT address arrives
> at the Pix ("debug icmp trace" lists the packet with the VPN IP and the
> NAT destination), but I can't seem to get a reply ... I tried configuring
> an ACL to allow outside to inside access from the VPN net to the NAT ip,
> but that didn't help ...

Here's a short example:

PIX with inside and outside interface, global PAT from inside to outside
inside configured with 192.168.0.1/24
Site-to-site VPN to 172.16.101.0/24, which should be translated (NAT) to 
192.168.1.0/24 on the device, so that 172.16.101.0/24 is visible as 
192.168.1.0/24 from inside

access-list no-nat-inside permit ip 192.168.0.0 255.255.255.0 192.168.1.0 
255.255.255.0
...
access-list nat-inside permit ip 192.168.0.0 255.255.255.0 172.16.101.0 
255.255.255.0
...
global (outside) 1 interface
nat (inside) 0 access-list no-nat-inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.94.0 access-list nat-inside 0 0

Before trying this, the tunnel should work!

Here are excerpts from the outside ACL:

access-list outside permit ip host 172.16.101.X host 192.168.94.X
access-list outside permit ip 192.168.1.0 255.255.255.0 192.168.0.0 
255.255.255.0
...
access-group outside in interface outside

I hope, this helps!

Wolfgang


More information about the cisco-nsp mailing list