Solved

Site-to-site VPN & NAT

Posted on 2003-12-03
2
891 Views
Last Modified: 2010-08-05
Hi all,

I have two networks (A & B) which using completely different IP range. e.g.
Network A range: 1.1.1.0 255.255.255.0
Network B range: 2.2.2.0 255.255.255.0

I want to have site-to-site VPN to be configured. Traffic flow is initiated from A to B.
i.e.

1.1.1.0/24-----[PIX-A]----VPN Tunnel-----[PIX-B]-----2.2.2.0/240

The requirement is:
The source address from network A must be translated (NAT) to network B range before it enters VPN tunnel.

On PIX-A, I know I can configure NAT to translate the source destination from 1.1.1.0/24 to 2.2.2.0/24 range. I can then specify the traffic for this VPN using access-list (e.g. access-list 100 permit ip 2.2.2.0 0.0.0.255 2.2.2.0 0.0.0.255)

I'm not sure as for the sequence of operation on Cisco PIX.
Which one will be performed first? NAT or VPN? is there a way to specify the order of operation?

If NAT is performed first, then the method I described above will work.
On the other hand, if VPN is performed first, I don't know how to translate the source address.

0
Comment
Question by:blitzlight
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 13

Accepted Solution

by:
td_miles earned 200 total points
ID: 9872873
I'm not sure what you're trying to achieve ? If you manage to do what you describe, you're going to end up with a packet that is destined for 2.2.2.y with a source of 2.2.2.x. It's possible that the packet will get rejected as a spoof attempt, but if it doesn't, how is the traffic going to get back ? The 2.2.2.y destination will try to send the data back to an address of 2.2.2.x and it will never go to the PIX as it thinks it is "local" traffic (ie on the same LAN subnet).

Order of operation (not sure if this applies equally to PIX or not, I couldn't find anything specific to PIX):
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

You can't change the order of operation, it is set in the code.
0
 
LVL 1

Expert Comment

by:Bill_Szumski
ID: 9986890
You can NAT an address before it enters the VPN tunnel but you can't NAT it to the same subnet as the destination.  I have seen situations where you are bringing up a tunnel to a device and the access list on the other side only allows network access to one address so you would have to NAT all of your traffic to one global.  In this case, however, you must NAT to a subnet that is different than the destination network.
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question