[c-nsp] question about natting ipsec traffic on pix 506E

dalton daltons at panix.com
Wed Nov 30 20:01:00 EST 2011


Hi,

I am running a pix 506E. I believe what I am trying to do here will work, but just want to confirm with anyone who has 
done something similar.

506E has tunnel to a telco which does not allow private ip space across the tunnel. So what i need to do is static nat incoming traffic from the server to
a public ip.

Here is the config i have in place at the moment (pretty simple)

access-list client1 permit ip host 209.1.1.157 host 200.1.1.2  
access-list client1 permit ip host 209.1.1.158 host 200.1.1.2  
access-list EXCLUDE-NAT permit ip host 209.1.1.157 host 200.1.1.2
access-list EXCLUDE-NAT permit ip host 209.1.1.158 host 200.1.1.2



nat (inside) 0 access-list EXCLUDE-NAT
static (inside,outside) 209.1.1.157 10.0.0.129 dns netmask 255.255.255.255 0 0
static (inside,outside) 209.1.1.158 10.0.0.130 dns netmask 255.255.255.255 0 0

crypto map statmap 120 ipsec-isakmp
crypto map statmap 120 match address client1
crypto map statmap 120 set peer 200.1.1.1
crypto map statmap 120 set pfs group2
crypto map statmap 120 set transform-set strong

I want to nat the 10.0.0.129 and 130 traffic to 209.1.1.157/158 before it goes through the tunnel.

In the acl for interesting traffic do i want he real (private ips - 10.0.0.129) here? or the natted ips (209.1.1.157)?
Also, for my nat 0 list, do i want the that natted ip in there? or the real ips.

Hope this makes sense. 

Thanks for any insight!

dalton


More information about the cisco-nsp mailing list