Due to some inflexibility on the part of a 3rd party I am faced with adding NAT complexity to what was going to be a simple solution (public to public VPN).
My network has a PIX pair running 6.3(5). There are several interfaces and lots of NAT, Policy NAT etc. To keep thing simple the point of interest are...
static (inside,outside) 62.X.X.1 172.16.1.1 netmask 255.255.255.255 static (inside,outside) 62.X.X.2 172.16.1.2 netmask 255.255.255.255
Originally my crypto-acl was going to use these 2 x public IP's. Now the remote end is telling me that they will not do a public to public connection and they insist that....
Their users will come from say 10.1.1.0/24 (on the outside) and will target the above hosts 62.X.X.1 & .2 by the address 172.23.1.1 & 2 respectively.
So on my PIX I have to say, anything from a source address of
10.1.1.0/24 targeting a destination address of 172.23.1.1 & .2 NAT to the real addresses of 172.16.1.1 & .2.My second problem is I may have to modify the source address of the traffic (10.1.1.0/24) as the main site I control uses various ranges in 10.0.0/8. With this in mind I take it I would need outside NAT.
Any help appreciated here.
I off to blow the dust off my PIX book now to see if I can find a good example or two.
Regards
Darren