Link to home
Start Free TrialLog in
Avatar of jonhicks
jonhicks

asked on

Destination NAT with Cisco PIX LAN-to-LAN VPN

We have a site-to-site VPN tunnel between our own Cisco PIX 515E (7.2) and a 3rd party's ASA 5505.

The IP addressing at the 3rd party end clashes with ip addressing on our own network, so we'd like to perform NAT on a network address we're able to route and translate this to their ip addressing, whilst passing the traffic across the vpn tunnel. I.e. we send packets to 192.168.1.x and they're translated to destination 10.0.0.x and pass across the tunnel.

We have two internal interfaces which we'll need perform the NAT across (we'll call them 'inside' and 'dmz' for the sake of this question).

Before I post or describe the config of the PIX, is this possible with a VPN and, if so, can someone describe the NAT configuration that would do what we need?
ASKER CERTIFIED SOLUTION
Avatar of ciscoguy69
ciscoguy69

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ciscoguy69
ciscoguy69

If you want to post the tunnel configs, I can show you what I mean. I don't need any of the PSK or real IPs if you want to hide those for the sake of the example.
Avatar of jonhicks

ASKER

Ah good, thought policy nat would be the way..

Below is the relevant config:

access-list nat_0_out extended permit ip any 192.168.1.0 255.255.255.0
nat-control
global (out) 1 212.1.1.10
nat (dmz) 0 0.0.0.0 0.0.0.0
nat (inside) 0 access-list nat_0_out
nat (inside) 1 10.2.0.0 255.255.0.0

route dmz 10.10.0.0 255.255.0.0 172.16.1.3 1
route inside 10.2.0.0 255.255.0.0 10.1.1.1 1
route out 0.0.0.0 0.0.0.0 212.1.1.1 1

access-list out_cryptomap_1 extended permit ip 10.10.0.0 255.255.0.0 192.168.1.0 255.255.255.0

crypto map out_map 1 match address out_cryptomap_1
crypto map out_map 1 set pfs
crypto map out_map 1 set peer 212.10.10.1
crypto map out_map 1 set transform-set ESP-3DES-SHA
crypto map out_map 1 set security-association lifetime seconds 3600
crypto map out_map 1 set reverse-route
crypto map out_map interface out

crypto isakmp enable out
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group 212.10.10.1 type ipsec-l2l
tunnel-group 212.10.10.1 ipsec-attributes
 pre-shared-key *

It's complicated slightly because we want to NAT from a different sized subnet. What we want to do is NAT 192.168.1.0/24 (the 3rd party's range) onto 10.0.50.128/25. For some reason we have to use a /25 range for the NAT onto their /24 range (we don't expect more than 10 client connections at any one time, so the /25 range is big enough).

Hope that makes sense.
Now that I see the additional details, are there any applications that would need to access a host from the reverse direction after the end of a session? Such as AD, desktop management, ect...? I just want to make sure you have no issues with the config.
Yes, the 3rd party will initiate connections in for remote management of some systems they support. And the systems they support need to send data back across, such as snmp traps.
That will be a more complex setup. You will have to do static one to one NAT for the hosts that your side will need to initiate to. You can still do the policy NAT for them connecting randomly. Do you have a list of the hosts you will need to send to?
No, but for now we can say 192.168.1.10 and 192.168.1.11 need to be contacted by inside hosts.