Cisco PIX 515e Policy Nat

I have no issues setting up a VPN but now I have a issue whereby the vendor has the same internal private network  as we do they have 10.0.0.0 and we have a 10.168.0.0 . We need to do a policy nat so that it comes over as another address over the vpn. I did a static policy nat with the source being the server on my network to the private address lets say 192.168.1.20 (nat address) they wanted to be policy natted and the destination of their private network. and then enabled PAT for the port that is supposed to come over. I guess i want to know the right way to do a policy nat for an internal ip over a VPN.
 
adrianjfxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jordon_MCommented:
I just ran into a similar scenario a few weeks ago.  I followed the below doc and it worked out for me.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hossam82Commented:
you may find the solution in this link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

you will create an ACL that matches your traffic and use it in NAT configuration.
0
adrianjfxAuthor Commented:
ok going to try it this morning
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

adrianjfxAuthor Commented:
Might be a silly statement but if i create the VPN with the real address of our machine and then create policy nat, i guess it won't work because the VPN establishes for interesting traffic if it is looking for my internal client real address if won't work because the policy nat would change it to the next "fake private address" I am also trying to understand this. Thanks
0
Jordon_MCommented:
That is correct.  You will use the nat address to define the interesting traffic.
0
adrianjfxAuthor Commented:
In the Add Static Policy NAT Rule i am using ASDM
The Static Translation open am i using

Interface: inside or should this be outside?
IP Address: Fake Address


and PAT is disenabled

I apologize for the running on and appreciate the assistance
0
adrianjfxAuthor Commented:
Also should i have NAT-T enabled or disenabled on the Tunnel?
0
adrianjfxAuthor Commented:
I don't know what is wrong i ran show isakmp sa and i see my other 2 vpns but i don't see this one

i ran these commands
access-list policy-nat extended permit ip 10.168.4.62 255.255.55.255 10.129.35.232 252.255.255.252

static (inside,oustide) 170.150.161.10 access-list policy-nat
0
Jordon_MCommented:
Do you have 170.150.161.10 listed in your ACL for interesting traffic?  You will also need to initiate traffic from 10.168.4.62.
0
adrianjfxAuthor Commented:
Some of the info of what is configured, hope it provides some insight
FIRE1.jpeg
VPN1.jpg
NAT1.jpeg
PACKET-FLOW.jpeg
0
adrianjfxAuthor Commented:
Summary of what is needed
SUMMARY.jpeg
0
hossam82Commented:
(1) ACL Host 1 --> Host 2
(2) use the ACL in policy NAT: Host 1 --> 170.150.161.10
(3) interest Traffic:
      170.150.161.10 --> Host 2 at (A)
       Host 2 --> 170.150.161.10 at (B)
(4) make sure of NAT 0 at (B):
       NAT 0  Host 2 --> 170.150.161.10
(5) in the static policy NAT rule:
       Try to use it with IP instead of TCP = 11940

Thanks
0
adrianjfxAuthor Commented:
Ultimately check your configuration because there was mis communication in what was meant for my private ip and theirs once i switched around the ips everything worked
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.