VPN with NAT translation

Usually the VPN traffic should be excluded from NAT "nat (inside) 0". This time I've received request to establish VPN connection to the internal server but via public ip address.

This means on my PIX device the inbound packet first should be decrypted and after transformed by the NAT engine. Almost the same but with in different order should be done with outbound packets. Is it enough just exclude server from "nat (inside) 0 list"? If not what else should be done?

Example:

My pix outside (public) interface address: p.p.p.1/24 My pix inside (private) interface address: i.i.i.1/24

My server external (public) address: p.p.p.2/24 My server internal (private) address: i.i.i.2/24

client behind peer's VPN device want's to be connected via VPN and access server via p.p.p.2 address and not via i.i.i.2.

Is this possible?

Thanks, Evgeni.

Reply to
Evgeni Vekua
Loading thread data ...

In article , Evgeni Vekua wrote: :Usually the VPN traffic should be excluded from NAT "nat (inside) 0". :This time I've received request to establish VPN connection to the :internal server but via public ip address.

:This means on my PIX device the inbound packet first should be :decrypted and after transformed by the NAT engine. Almost the same but :with in different order should be done with outbound packets. :Is it enough just exclude server from "nat (inside) 0 list"? If not :what else should be done?

You may need to change the transform set to exclude AH, or else to turn on isakmp nat-traversal

There is an another important change that is not widely known. When you write the ACL entry that will be used for the crypto map match address, then you must write it in terms of outgoing packets, and you must write it as if NAT had -already- taken place. That is, whereas before you were accustomed to writing

access-list clientvpn permit ip host i.i.i.2 host CLIENTIP

then you would instead write

access-list clientvpn permit ip host p.p.p.2 host CLIENTIP

as the ACL will not be looked at for outgoing traffic until after the source-IP NAT has taken place.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.