site2site ipsec with nat

In article , chackamakka wrote: :I have to build a ipsec tunnel between 2 pix 515 firewalls, nothing :special. :But the private ip range of site A needs to be translated to another :private ip range before being able to connect to site B through the :ipsec tunnel.

Unfortunately, our resident FAQ-builder has been busy the last

6 years running ;-) Here's the link you need.

Hi all, So to recall my question, i'm in the 192.168.50.0 network and every connection to the 192.168.30.0 network needs to be translated first to a 172.16.10.0 address. I also need to publish a host 192.168.50.10 to

172.16.10.10. This is what i got so far, can anyone give me some feedback? access-list IPSEC_NAT permit ip 176.26.10.0 255.255.255.0 192.168.30.0 255.255.255.0 ip address outside OUTSIDE_IP 255.255.255.240 ip address inside INSIDE_IP 255.255.255.0 global (outside) 1 interface nat (inside) 1 192.168.50.0 255.255.255.0 0 0 static (outside,inside) 192.168.50.0 176.26.10.0 netmask 255.255.255.0 0 0 route outside 0.0.0.0 0.0.0.0 ROUTER_IP sysopt connection permit-ipsec crypto ipsec transform-set TEST esp-3des esp-sha-hmac crypto map TEST_map 10 ipsec-isakmp crypto map TEST_map 10 match address IPSEC_NAT crypto map TEST_map 10 set pfs group2 crypto map TEST_map 10 set peer PIX_PEER crypto map TEST_map 10 set transform-set TEST crypto map TEST_map 10 set security-association lifetime seconds 7200 kilobytes 4608000 crypto map TEST_map interface outside isakmp enable outside isakmp key ENCRYPTION_KEY address PIX_PEER netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 28800

greetz

Walter Robers> > :I have to build a ipsec tunnel between 2 pix 515 firewalls, nothing > :special.

Good, that ACL is consistant with what you outlined.

Okay, that will be applied for all traffic towards the outside that is not exempted by a static or higher priority nat.

That command means "If you see an incoming packet with 172.16.10/24 as the -source-, then translate it so that it has a 192.168.50/24 source address instead; if you see an outgoing packet with a 192.168.50/24 destination, then translate it to a 172.16.10/24 destination." That is not what you want to do.

You also have the problem that the above command applies to -all- traffic, not just to traffic over the VPN.

What I would suggest is,

access-list tunnel_to_remote_acl permit ip 176.26.10.0 255.255.255.0

192.168.30.0 255.255.255.0 access-list nat_to_remote_acl permit ip 192.168.50.0 255.255.255.0 192.168.30.0 255.255.255.0 crypto map TEST_map 10 match address tunnel_to_remote_acl global (outside) 1 interface global (outside) 2 172.16.10.0 netmask 255.255.255.0 nat (inside) 1 192.168.50.0 255.255.255.0 0 0 nat (inside) 2 access-list nat_to_remote_acl dns

nat with an access-list has a higher priority than nat without an ACL, so any traffic that matches nat_to_remote_acl (that is, traffic to 192.168.30/24) will have global 2 applied, thus translating the outgoing source addresses to 172.16.10/24. The crypto map match address is looked at -after- NAT has taken place, so the newly mapped source addresses of 172.16.10/24 will match the tunnel_to_remote_acl so the traffic will get carried over the VPN.

You may notice that tunnel_to_remote_acl is the same content as your IPSEC_NAT acl. You could continue to use the name IPSEC_NAT where you are now, but since the ACL is not controlling NAT (it is controlling VPN traffic), the name would be deceptive.