SIte to Site vpn w/ conditional Nat PIX
Posted on 2009-07-08
I am having some issues getting this to work. I posted a question previously but still have not figured it out so hopefully I can explain it better here.
We have a site to site vpn tunnel setup with a customer for two of our networks.
Here is the config in our pix for that tunnel and the corresponding acls:
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-list 103 extended permit ip 192.168.7.0 255.255.255.0 host 198.x.x.x
access-list 103 extended permit ip 192.168.100.0 255.255.255.0 host 198.x.x.x
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 host 198.x.x.x
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 host 198.x.x.x
crypto ipsec transform-set des esp-des esp-sha-hmac
crypto map tippmanngroup 1 match address 103
crypto map tippmanngroup 1 set pfs
crypto map tippmanngroup 1 set peer 199.x.x.x
crypto map tippmanngroup 1 set transform-set des
tunnel-group 199.x.x.x type ipsec-l2l
tunnel-group 199.x.x.x ipsec-attributes
I have several other sites that I need to give the customer access to so they can use remote desktop to access these servers. The ips are listed below.
The issue I have is I nat those to another ip because those networks are already in use on the customers' end. I would like to nat each one of those ips above to one of our external ip addresses so that any traffic coming from one of the above ips is translated to one of our external ips. It has to be an external address because of the customers network. I would like to use the following ips as the external addresses:
66.x.x.1 to 192.168.40.21
66.x.x.2 to 192.168.40.22
66.x.x.3 to 192.168.40.24
66.x.x.4 to 192.168.6.21
If you need more of the config then please ask.