Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Site-to-site VPN & NAT

Posted on 2003-12-03
2
Medium Priority
?
907 Views
Last Modified: 2010-08-05
Hi all,

I have two networks (A & B) which using completely different IP range. e.g.
Network A range: 1.1.1.0 255.255.255.0
Network B range: 2.2.2.0 255.255.255.0

I want to have site-to-site VPN to be configured. Traffic flow is initiated from A to B.
i.e.

1.1.1.0/24-----[PIX-A]----VPN Tunnel-----[PIX-B]-----2.2.2.0/240

The requirement is:
The source address from network A must be translated (NAT) to network B range before it enters VPN tunnel.

On PIX-A, I know I can configure NAT to translate the source destination from 1.1.1.0/24 to 2.2.2.0/24 range. I can then specify the traffic for this VPN using access-list (e.g. access-list 100 permit ip 2.2.2.0 0.0.0.255 2.2.2.0 0.0.0.255)

I'm not sure as for the sequence of operation on Cisco PIX.
Which one will be performed first? NAT or VPN? is there a way to specify the order of operation?

If NAT is performed first, then the method I described above will work.
On the other hand, if VPN is performed first, I don't know how to translate the source address.

0
Comment
Question by:blitzlight
2 Comments
 
LVL 13

Accepted Solution

by:
td_miles earned 600 total points
ID: 9872873
I'm not sure what you're trying to achieve ? If you manage to do what you describe, you're going to end up with a packet that is destined for 2.2.2.y with a source of 2.2.2.x. It's possible that the packet will get rejected as a spoof attempt, but if it doesn't, how is the traffic going to get back ? The 2.2.2.y destination will try to send the data back to an address of 2.2.2.x and it will never go to the PIX as it thinks it is "local" traffic (ie on the same LAN subnet).

Order of operation (not sure if this applies equally to PIX or not, I couldn't find anything specific to PIX):
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

You can't change the order of operation, it is set in the code.
0
 
LVL 1

Expert Comment

by:Bill_Szumski
ID: 9986890
You can NAT an address before it enters the VPN tunnel but you can't NAT it to the same subnet as the destination.  I have seen situations where you are bringing up a tunnel to a device and the access list on the other side only allows network access to one address so you would have to NAT all of your traffic to one global.  In this case, however, you must NAT to a subnet that is different than the destination network.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question