Re: PIX515 IPSec VPN NAT Issue from Alexei Monastyrnyi on 2009-04-16 (Ccielab archives 04/2009)

From: Alexei Monastyrnyi <alexeim73_at_gmail.com>
Date: Thu, 16 Apr 2009 21:19:04 +0200

Hi.

IMO you don\t have to have this part

nat (inside) 0 inside_nat0_outbound

If you have a proper routing to 172.16.0.0/22, the PIX will figure out where to send your traffic and will not translate it over your outside interface.

I would keep though that 0.0.0.0 part numbered as something like 65635 instead of 1.

global (outside) 65535 interface
nat (inside) 65535 0.0.0.0 0.0.0.0

to list more specific things before.

Thanks to PEmu BTW you can emulate the whole thing pretty easily.

HTH
A.

Joshua wrote:
> Hi,
>
> Company A just acquired Company B. I was asked to setup IPSec VPN to allow B
> access A's internal network (172.16.0.0/22). Based on Company A's VPN
> infrastructure, the interested subnet assigned to Company B is
> 10.9.11.0/24. Company
> B has its own subnet 192.168.1.0/24. Without changing company B's subnet to
> 10.9.11.0/24, i am thinking to create a "Temp" interface with security level
> 50 (outside int security is 0; inside int security is 100) and NAT
> 192.168.1.0/24 to 10.9.11.3/24. Company B is using PIX 515.
>
> The problem is Company B NAT traffic to PIX 515 outside interface for
> Internet access. So, if i put
>
> access-list inside_nat0_outbound permit ip 192.168.1.0
> 255.255.255.0 172.16.0.0 255.255.252.0
> global (outside) 1 interface
> nat (inside) 0 inside_nat0_outbound
> nat (inside) 1 0.0.0.0 0.0.0.0
>
> Can i still NAT traffic from 192.168.1.0 255.255.255.0 172.16.0.0
> 255.255.252.0 to Temp interface 10.9.11.3, since the traffic already defined
> no-NAT?
>
> access-list CompanyB_2_A permit ip 192.168.1.0 255.255.255.0 172.16.0.0
> 255.255.252.0
> global (temp) 2 10.9.11.3
> nat (inside) 2 access-list CompanyB_2_A
>
> If it is not a good solution for the scenario, what is the better way to
> work it out?
>
> Thanks!
>
> Joshua
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Apr 16 2009 - 21:19:04 ART

This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:12 ART