Solved

Site-to-site VPN & NAT

Posted on 2003-12-03
2
885 Views
Last Modified: 2010-08-05
Hi all,

I have two networks (A & B) which using completely different IP range. e.g.
Network A range: 1.1.1.0 255.255.255.0
Network B range: 2.2.2.0 255.255.255.0

I want to have site-to-site VPN to be configured. Traffic flow is initiated from A to B.
i.e.

1.1.1.0/24-----[PIX-A]----VPN Tunnel-----[PIX-B]-----2.2.2.0/240

The requirement is:
The source address from network A must be translated (NAT) to network B range before it enters VPN tunnel.

On PIX-A, I know I can configure NAT to translate the source destination from 1.1.1.0/24 to 2.2.2.0/24 range. I can then specify the traffic for this VPN using access-list (e.g. access-list 100 permit ip 2.2.2.0 0.0.0.255 2.2.2.0 0.0.0.255)

I'm not sure as for the sequence of operation on Cisco PIX.
Which one will be performed first? NAT or VPN? is there a way to specify the order of operation?

If NAT is performed first, then the method I described above will work.
On the other hand, if VPN is performed first, I don't know how to translate the source address.

0
Comment
Question by:blitzlight
2 Comments
 
LVL 13

Accepted Solution

by:
td_miles earned 200 total points
ID: 9872873
I'm not sure what you're trying to achieve ? If you manage to do what you describe, you're going to end up with a packet that is destined for 2.2.2.y with a source of 2.2.2.x. It's possible that the packet will get rejected as a spoof attempt, but if it doesn't, how is the traffic going to get back ? The 2.2.2.y destination will try to send the data back to an address of 2.2.2.x and it will never go to the PIX as it thinks it is "local" traffic (ie on the same LAN subnet).

Order of operation (not sure if this applies equally to PIX or not, I couldn't find anything specific to PIX):
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

You can't change the order of operation, it is set in the code.
0
 
LVL 1

Expert Comment

by:Bill_Szumski
ID: 9986890
You can NAT an address before it enters the VPN tunnel but you can't NAT it to the same subnet as the destination.  I have seen situations where you are bringing up a tunnel to a device and the access list on the other side only allows network access to one address so you would have to NAT all of your traffic to one global.  In this case, however, you must NAT to a subnet that is different than the destination network.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question