Re: [fw-wiz] PIX to ASA VPN using PAT

Should not be too hard. Set up you NAT or PAT. Use the IP address out of your NAT or PAT fur you crypto map. I have done it before, it is not hard. Hopefully this is complete:

# Set up object group to make ACL look neat and small
object-group network Tunnel-Host
description the devices on end of tunnel
network-object host YYY.YYY.YYY.YYY
# IP address of the devices on other end of tunnel
# if you are NATing on both ends, this would be the AAA.AAA.AAA.AAA of the other end.

# Set up ACL for devices that need NATing, also used to restrict traffic in tunnel
access-list NAT-Policy remark device that needs VPN access.
access-list NAT-Policy extended permit ip host xxx.xxx.xxx.xxx object- group Tunnel-Host
# IP address of the devices that need to enter tunnel

# Set up NAT or PAT.
nat (Inside) 20 access-list NAT-Policy
global (Outside) 20 AAA.AAA.AAA.AAA netmask 255.255.255.255
# IP address to use for PAT or NAT
# mask 255.255.255.255 = PAT
# mask 255.255.255.0 = NAT

# Set up ACL for tunnel crypto map
access-list Tunnel-VPN-Outside-ACL remark NAT-Pool to tunnel
access-list Tunnel-VPN-Outside-ACL extended permit ip host AAA.AAA.AAA.AAA object-group Tunnel-Host
# IP address coming out of NAT or PAT

# Set up tunnel group
tunnel-group ZZZ.ZZZ.ZZZ.ZZZ type ipsec-l2l
tunnel-group ZZZ.ZZZ.ZZZ.ZZZ ipsec-attributes
pre-shared-key *
# IP address of other end of tunnel

# Create crypto map
crypto map VPN-Outside-map 40 match address Tunnel-VPN-Outside-ACL




Good luck
Gary Douglas



On Apr 2, 2008, at 9:28 AM, Richard Shaw wrote:

Hi,

I've got to setup a site to site vpn from a PIX 515E at my end to an ASA and It's been requested that I PAT the connection to a specific address.

My side of the network is NAT'd, so I want to allow one specific host from my inside network to get out out through the tunnel to their network. I've used the ADSM VPN wizard so because I don't have a vast amount of experience configuring them by hand.

Could anyone make any recommendations as to how I do the PAT side to it?

Thanks in advance

Richard
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: [fw-wiz] bypassing PIX limitation
    ... Couldn't you setup a policy NAT based on their address block? ... Hopefully the following information will be clearer: The network behind ... my PIX is 192.168.99.x. ... going over an ipsec tunnel its plausible). ...
    (Firewall-Wizards)
  • Re: VPN between two companies - same subnet
    ... NAT the traffic before it crosses the tunnel. ... When you might be able to make changes on the VPN side. ... >>>the same network ID as us. ...
    (microsoft.public.windows.server.networking)
  • Re: [fw-wiz] PIX515 Inside NAT to private addresses through P2PTunnel
    ... You can nat both source and destination at your site. ... address on your Citrix servers. ... we will be accessing Citrix servers, they are using a 10.195.x.x network ... end of this tunnel from the rest of my network. ...
    (Firewall-Wizards)
  • Re: Connecting to VPN Router Thats Behind Another Router
    ... network into the 192.168.1.x network. ... On the Actiontec, I have ports ... sounds like a NAT issue, try giving 192.168.0.2 an official IP adress on the Actiontec and do NAT in both directions. ... so your endpoint of the tunnel is the not the Actiontec public adress, ...
    (comp.security.firewalls)
  • Re: VPN client will not connect behind firewall
    ... that will not survive any kind of NAT. ... PAT, NAPT etc.). ... The Phase 1 tunnel will be established, ...
    (comp.dcom.sys.cisco)