blitzlight
asked on
Site-to-site VPN & NAT
Hi all,
I have two networks (A & B) which using completely different IP range. e.g.
Network A range: 1.1.1.0 255.255.255.0
Network B range: 2.2.2.0 255.255.255.0
I want to have site-to-site VPN to be configured. Traffic flow is initiated from A to B.
i.e.
1.1.1.0/24-----[PIX-A]----
The requirement is:
The source address from network A must be translated (NAT) to network B range before it enters VPN tunnel.
On PIX-A, I know I can configure NAT to translate the source destination from 1.1.1.0/24 to 2.2.2.0/24 range. I can then specify the traffic for this VPN using access-list (e.g. access-list 100 permit ip 2.2.2.0 0.0.0.255 2.2.2.0 0.0.0.255)
I'm not sure as for the sequence of operation on Cisco PIX.
Which one will be performed first? NAT or VPN? is there a way to specify the order of operation?
If NAT is performed first, then the method I described above will work.
On the other hand, if VPN is performed first, I don't know how to translate the source address.
I have two networks (A & B) which using completely different IP range. e.g.
Network A range: 1.1.1.0 255.255.255.0
Network B range: 2.2.2.0 255.255.255.0
I want to have site-to-site VPN to be configured. Traffic flow is initiated from A to B.
i.e.
1.1.1.0/24-----[PIX-A]----
The requirement is:
The source address from network A must be translated (NAT) to network B range before it enters VPN tunnel.
On PIX-A, I know I can configure NAT to translate the source destination from 1.1.1.0/24 to 2.2.2.0/24 range. I can then specify the traffic for this VPN using access-list (e.g. access-list 100 permit ip 2.2.2.0 0.0.0.255 2.2.2.0 0.0.0.255)
I'm not sure as for the sequence of operation on Cisco PIX.
Which one will be performed first? NAT or VPN? is there a way to specify the order of operation?
If NAT is performed first, then the method I described above will work.
On the other hand, if VPN is performed first, I don't know how to translate the source address.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can NAT an address before it enters the VPN tunnel but you can't NAT it to the same subnet as the destination. I have seen situations where you are bringing up a tunnel to a device and the access list on the other side only allows network access to one address so you would have to NAT all of your traffic to one global. In this case, however, you must NAT to a subnet that is different than the destination network.