Solved

Site-to-site VPN & NAT

Posted on 2003-12-03
2
887 Views
Last Modified: 2010-08-05
Hi all,

I have two networks (A & B) which using completely different IP range. e.g.
Network A range: 1.1.1.0 255.255.255.0
Network B range: 2.2.2.0 255.255.255.0

I want to have site-to-site VPN to be configured. Traffic flow is initiated from A to B.
i.e.

1.1.1.0/24-----[PIX-A]----VPN Tunnel-----[PIX-B]-----2.2.2.0/240

The requirement is:
The source address from network A must be translated (NAT) to network B range before it enters VPN tunnel.

On PIX-A, I know I can configure NAT to translate the source destination from 1.1.1.0/24 to 2.2.2.0/24 range. I can then specify the traffic for this VPN using access-list (e.g. access-list 100 permit ip 2.2.2.0 0.0.0.255 2.2.2.0 0.0.0.255)

I'm not sure as for the sequence of operation on Cisco PIX.
Which one will be performed first? NAT or VPN? is there a way to specify the order of operation?

If NAT is performed first, then the method I described above will work.
On the other hand, if VPN is performed first, I don't know how to translate the source address.

0
Comment
Question by:blitzlight
2 Comments
 
LVL 13

Accepted Solution

by:
td_miles earned 200 total points
ID: 9872873
I'm not sure what you're trying to achieve ? If you manage to do what you describe, you're going to end up with a packet that is destined for 2.2.2.y with a source of 2.2.2.x. It's possible that the packet will get rejected as a spoof attempt, but if it doesn't, how is the traffic going to get back ? The 2.2.2.y destination will try to send the data back to an address of 2.2.2.x and it will never go to the PIX as it thinks it is "local" traffic (ie on the same LAN subnet).

Order of operation (not sure if this applies equally to PIX or not, I couldn't find anything specific to PIX):
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

You can't change the order of operation, it is set in the code.
0
 
LVL 1

Expert Comment

by:Bill_Szumski
ID: 9986890
You can NAT an address before it enters the VPN tunnel but you can't NAT it to the same subnet as the destination.  I have seen situations where you are bringing up a tunnel to a device and the access list on the other side only allows network access to one address so you would have to NAT all of your traffic to one global.  In this case, however, you must NAT to a subnet that is different than the destination network.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question