I am configuring a 506E for VPN. I have been requested to NAT the SRC Ips into an address that is different from the address that is used for usual Internet access. Research has shown that the 506E can only support 1 IP address on it's outside interface therefore I am guessing the only way to seperate VPN and normal http traffic like this is either with a router on the WAN side of the 506E or perhaps it can be down with global IP addresses or VLANs?. Any thougths gratefully received.
Paul
You can NAT to a different address using a NAT and Global that matches an ACL. For example,
If your external address was 1.2.3.4 but you wanted to NAT traffic from the
192.168.204.0 /24 network going to 10.20.30.40 global address over a VPN to 1.2.3.5 then you would do something like;access-list jiggypuff permit ip 192.168.204.0 255.255.255.0 host 10.20.30.40
nat (inside) 2 access-list jiggypuff global (outside) 2 1.2.3.5 - 1.2.3.5
You might also have something like;
nat (inside) 1 192.168.204.0 255.255.255.0 global (outside) 1 interface.
So traffic going out to the internet would be NATed to the outside pix addres (1.2.3.4) and traffic going over the VPN to 10.20.30.40 would be NATed to 1.2.3.5.
Chris.
ah right ok, so rather than having two IP addresses on the outside interface, you are essentially giving the 506 two routes. How does the below distinguish that normal HTTP traffic does not go over the VPN route?
Would I need to put both IP addresses into a global address range?
cheers
Paul
No it's not two routes. You only have one route (ie. the default route). Normal traffic is NATed to the outside global address by matching the NAT rule. However, if the destination is the VPN then that hits against the access-list that is applied to the other NAT statement that NAT's to a different outside address. In other words it's using Policy NAT (if this access-list is matched NAT to this ..). This type of system is usually used with nat 0 for VPN connections that do not get NATed to a global IP address.
The range that you NAT to is up to you. You can NAT to multiple addresses ..
global (outside) 2 x.x.x.2 - x.x.x.6
.. or you can just NAT to one IP address ..
global (outside) 2 x.x.x.2 - x.x.x.2.
If you put a 'range' in with only one IP address you will get a message from the Pix telling you that it will PAT those connections.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.