[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1439
  • Last Modified:

Destination NAT with Cisco PIX LAN-to-LAN VPN

We have a site-to-site VPN tunnel between our own Cisco PIX 515E (7.2) and a 3rd party's ASA 5505.

The IP addressing at the 3rd party end clashes with ip addressing on our own network, so we'd like to perform NAT on a network address we're able to route and translate this to their ip addressing, whilst passing the traffic across the vpn tunnel. I.e. we send packets to 192.168.1.x and they're translated to destination 10.0.0.x and pass across the tunnel.

We have two internal interfaces which we'll need perform the NAT across (we'll call them 'inside' and 'dmz' for the sake of this question).

Before I post or describe the config of the PIX, is this possible with a VPN and, if so, can someone describe the NAT configuration that would do what we need?
  • 4
  • 3
1 Solution
It won't just be NAT, but it will require adding routes to the translated addresses as well. You are looking at Policy NAT.
If you want to post the tunnel configs, I can show you what I mean. I don't need any of the PSK or real IPs if you want to hide those for the sake of the example.
jonhicksAuthor Commented:
Ah good, thought policy nat would be the way..

Below is the relevant config:

access-list nat_0_out extended permit ip any
global (out) 1
nat (dmz) 0
nat (inside) 0 access-list nat_0_out
nat (inside) 1

route dmz 1
route inside 1
route out 1

access-list out_cryptomap_1 extended permit ip

crypto map out_map 1 match address out_cryptomap_1
crypto map out_map 1 set pfs
crypto map out_map 1 set peer
crypto map out_map 1 set transform-set ESP-3DES-SHA
crypto map out_map 1 set security-association lifetime seconds 3600
crypto map out_map 1 set reverse-route
crypto map out_map interface out

crypto isakmp enable out
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *

It's complicated slightly because we want to NAT from a different sized subnet. What we want to do is NAT (the 3rd party's range) onto For some reason we have to use a /25 range for the NAT onto their /24 range (we don't expect more than 10 client connections at any one time, so the /25 range is big enough).

Hope that makes sense.
How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

Now that I see the additional details, are there any applications that would need to access a host from the reverse direction after the end of a session? Such as AD, desktop management, ect...? I just want to make sure you have no issues with the config.
jonhicksAuthor Commented:
Yes, the 3rd party will initiate connections in for remote management of some systems they support. And the systems they support need to send data back across, such as snmp traps.
That will be a more complex setup. You will have to do static one to one NAT for the hosts that your side will need to initiate to. You can still do the policy NAT for them connecting randomly. Do you have a list of the hosts you will need to send to?
jonhicksAuthor Commented:
No, but for now we can say and need to be contacted by inside hosts.

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now