?
Solved

Pix Nat Setup

Posted on 2005-04-28
6
Medium Priority
?
537 Views
Last Modified: 2013-11-16
Hi,

I need to setup nat for the inside interface. The inside is 10.1.3.0/24 and because of vpn site to site I need to translate that address to 10.1.4.0/24.

I don't even know where to start with this.

Example: if inside host 10.1.3.2 access the vpn I need their address to translate to 10.1.4.2

Thanks,
Donnie
0
Comment
Question by:Donnie4572
  • 3
  • 2
6 Comments
 
LVL 12

Author Comment

by:Donnie4572
ID: 13886516
global (inside) 10.1.4.0-10.1.4.254 netmask 255.255.255.0

Is this what I need to do? If yes, how is this applied to the inside interface?    nat (inside) 0  ??

Thanks for any help.

Donnie
0
 
LVL 5

Accepted Solution

by:
pazmanpro earned 2000 total points
ID: 13888858
Not quite. Now i am assuming that the users are also able to browse the web through the PIX, and only when accessing devices on the other side of the network over the VPN that they will be translated. Also, the translation is going from the inside to the outside, that is a host on the inside 10.1.3.X accessing the VPN will be going as 10.1.4.Y to the other end.

What you first have to do is create an access-list defining what network will be translated when accessing what. So

> access-list inside_to_vpn permit ip 10.1.3.0 255.255.255.0 <ip_nework_over_vpn> <netmask>

Next associate the access-list with a nat pool.

> nat (inside) 5 access-list inside_to_vpn

Now assciate the NAT pool with the pool of IP addresses

> global (outside) 5 10.1.4.0-10.1.4.254 netmask 255.255.255.0

You should then have you nat pools to allow other traffic going the the internet for instance to be translated to the public ip address. That is

global (outside) 10 interface (or other ip pool)
nat (inside) 10 0.0.0.0 0.0.0.0 0 0

The ID numbers (5 and 10 in this case) is important as they are matched in order.

Now under normal circumstances, the traffic over a VPN is exempted from NAT, that is, the ip addresses are unchanged. You will have to ensure that these entries are not in there as they matched first before any others. Look for the commands "nat (inside) 0".

Hope this helps.
0
 
LVL 5

Expert Comment

by:pazmanpro
ID: 13888873
As a note, the IP translations are not a 1 to 1 matching. That is 10.1.3.4 is not translated to 10.1.4.4, but translated to the first available ip in the pool, which could possibly 10.1.4.100.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 12

Author Comment

by:Donnie4572
ID: 13889299
Thanks for your reply.

You have explained exactly what I need.

The access list for the tunnel does it have to contain the actual address of the host or the translated address or both?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13890112
The access-list for the actual tunnel must include the translated addresses (global) as the source, remote network as destination..

  access-list site1_vpn permit ip 10.1.4.0 255.255.255.0 <remote IP subnet> <mask>

0
 
LVL 12

Author Comment

by:Donnie4572
ID: 13890123
Thank You.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question