Site-to-site VPN & NAT

Hi all,

I have two networks (A & B) which using completely different IP range. e.g.
Network A range: 1.1.1.0 255.255.255.0
Network B range: 2.2.2.0 255.255.255.0

I want to have site-to-site VPN to be configured. Traffic flow is initiated from A to B.
i.e.

1.1.1.0/24-----[PIX-A]----VPN Tunnel-----[PIX-B]-----2.2.2.0/240

The requirement is:
The source address from network A must be translated (NAT) to network B range before it enters VPN tunnel.

On PIX-A, I know I can configure NAT to translate the source destination from 1.1.1.0/24 to 2.2.2.0/24 range. I can then specify the traffic for this VPN using access-list (e.g. access-list 100 permit ip 2.2.2.0 0.0.0.255 2.2.2.0 0.0.0.255)

I'm not sure as for the sequence of operation on Cisco PIX.
Which one will be performed first? NAT or VPN? is there a way to specify the order of operation?

If NAT is performed first, then the method I described above will work.
On the other hand, if VPN is performed first, I don't know how to translate the source address.

blitzlightAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

td_milesCommented:
I'm not sure what you're trying to achieve ? If you manage to do what you describe, you're going to end up with a packet that is destined for 2.2.2.y with a source of 2.2.2.x. It's possible that the packet will get rejected as a spoof attempt, but if it doesn't, how is the traffic going to get back ? The 2.2.2.y destination will try to send the data back to an address of 2.2.2.x and it will never go to the PIX as it thinks it is "local" traffic (ie on the same LAN subnet).

Order of operation (not sure if this applies equally to PIX or not, I couldn't find anything specific to PIX):
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

You can't change the order of operation, it is set in the code.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bill_SzumskiCommented:
You can NAT an address before it enters the VPN tunnel but you can't NAT it to the same subnet as the destination.  I have seen situations where you are bringing up a tunnel to a device and the access list on the other side only allows network access to one address so you would have to NAT all of your traffic to one global.  In this case, however, you must NAT to a subnet that is different than the destination network.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.