PIX 506e VPN Tunnel - Can This Be Done - Cabling-Design.com Forums

All,

I have to set up a site-to-site VPN, standard stuff really. However.... on my remote PIX I have been asked not to enable the NAT or Global commands.

The PIX has a 172.16.31.0 /29 address on its inside interface and a public IP address on it's outside interface. My crypto ACL's permit traffic from this LAN to a remote LAN. The PIX then tunnels the traffic to the remote firewall peer (another PIX).

Ordanarily I would have nonat statements in my config but not so in this case. The PIX will not provide any Internet connectivity, it is simply there to provide this 1 x VPN connection.

Is this valid. I aim to lab it up tomorrow but my curiosity is getting the better of me.

Regards

Darren

In PIX 6, in order for inside traffic to get out, one of the following must be configured:

- nat 0 access-list

- a static IP

- static PAT

- nat non-0 with an access-list

- nat 0 (without an access-list), or a nat/global pair

(The above is highest priority to lowest)

If you cannot (for whatever obscure reasons) use 'nat' or 'global' statements in the configuration, then you will need to use 'static' in order to provide the necessary address translation for inside traffic heading out. This is true even for VPN traffic: the VPN portion of it will not be considered until after address translation has been processed, and if you have no address translation then the packets will not reach the VPN layer.

Unfortunately, you cannot static an entire IP address to the interface IP (you need a second public IP if you want to static an entire internal IP.) Therefor, in order to meet your constraints, you will have to use static PAT,

static (inside,outside) tcp interface PORT INTERNALIP PORT netmask

255.255.255.255 static (inside,outside) udp interface PORT INTERNALIP PORT netmask 255.255.255.255

You will not be able to get icmp or any protocol other than TCP or UDP to translate in this situation.