NAT Question

- C
- corydch
  
  Contact options for registered users
posted
18 years ago

Thu, Mar 2, 2006 10:31 PM

I hope I ask this correctly as I am covering for our network engineer. We have an ipsec vpn tunnel to a partner site between 2 cisco 515e pix firewalls. Our partner site stated that we NAT our internal addresses to their internal address scheme so we have a server that has a static entry (static (inside,internet) 10.103.5.1 10.0.33.70 netmask

255.255.255.255). So this server does not get a global address from the pool as all the others do. This seems to mean that the server (10.0.33.70) can traverse the tunnel and get to our partner correctly but not get to the regular internet. Now the problem is they want to add another server to the tunnel which is not hard to do except they still want to have this new server access the internet. Once I put the static in for the new server it can traverse the tunnel but of course does not have regular internet access. Is there any way to be able to do both? Any thoughts would be appreciated.

Cory

Loading thread data ...

- M
- mcaissie
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Fri, Mar 3, 2006 12:28 AM

You can do policy nating .

1-first create an access-list that defines the traffic for wich you want to create a static

access-list acl-vpnnat permit ip host 10.0.33.70 [partner inside subnet]

2-then create a static using this acl

static (inside,internet) 10.103.5.1 access-list acl-vpnnat

This way the server 10.0.33.70 will be translated to 10.103.5.1 only when calling the partner's subnet. All other traffic will be nated by your regular nat (inside) + global (internet) command wich i assume you already have.

Not sure , but i think you need at least 6.2 (2) for this to work.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.