[c-nsp] question about natting ipsec traffic on pix 506E
dalton
daltons at panix.com
Wed Nov 30 20:01:00 EST 2011
Hi,
I am running a pix 506E. I believe what I am trying to do here will work, but just want to confirm with anyone who has
done something similar.
506E has tunnel to a telco which does not allow private ip space across the tunnel. So what i need to do is static nat incoming traffic from the server to
a public ip.
Here is the config i have in place at the moment (pretty simple)
access-list client1 permit ip host 209.1.1.157 host 200.1.1.2
access-list client1 permit ip host 209.1.1.158 host 200.1.1.2
access-list EXCLUDE-NAT permit ip host 209.1.1.157 host 200.1.1.2
access-list EXCLUDE-NAT permit ip host 209.1.1.158 host 200.1.1.2
nat (inside) 0 access-list EXCLUDE-NAT
static (inside,outside) 209.1.1.157 10.0.0.129 dns netmask 255.255.255.255 0 0
static (inside,outside) 209.1.1.158 10.0.0.130 dns netmask 255.255.255.255 0 0
crypto map statmap 120 ipsec-isakmp
crypto map statmap 120 match address client1
crypto map statmap 120 set peer 200.1.1.1
crypto map statmap 120 set pfs group2
crypto map statmap 120 set transform-set strong
I want to nat the 10.0.0.129 and 130 traffic to 209.1.1.157/158 before it goes through the tunnel.
In the acl for interesting traffic do i want he real (private ips - 10.0.0.129) here? or the natted ips (209.1.1.157)?
Also, for my nat 0 list, do i want the that natted ip in there? or the real ips.
Hope this makes sense.
Thanks for any insight!
dalton
More information about the cisco-nsp
mailing list