Re: [fw-wiz] VPN NAT issue

Those commands do not allow access. You need to use a static rule then
provide an access list. They should be the same as the other ones with
different numbers and also apply the access-list to the other interface
using a different name. Forexample, Access-list IN and Access-list IN2
are bound to the interface by Access-Group IN and Access-Group IN2.

I've attached a document that shows the rules. It's a little old but
still relevant.

I think this is what you are asking.


-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of
Vladislav Antolik
Sent: Wednesday, November 12, 2008 3:52 AM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] VPN NAT issue

Hello,

I'm using Cisco PIX 515E with 8.0(3) image.
I have 3 networks.
IN 172.16.0.0/16
IN2 173.16.0.0/16
OUT 174.16.0.0/16.
VPN local pool is 10.0.0.0/28.
I'm using remote access VPN to reach IN servers without problems(I
used howto from Cisco pix conf. guide)

I would like to reach IN2 servers too, but I don't know to setup NAT
from vpn pool to this network(IN2).
I this network (IN2) my VPN hosts(10.0.0.0/28) must be translated.

I tried
nat (OUT) 66 10.0.0.0 255.255.255.240
global (IN2) 66 173.16.0.5
but this doesn't work.

Is any possibility to translate VPN pool?

Many thanks
Vladislav
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Attachment: connectivity.pdf
Description: connectivity.pdf

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Puzzling VPN problem with Windows 2003
    ... I have a standard IPSEC VPN running between two 837s using a shared secret. ... access-list 23 permit 192.168.128.0 0.0.0.255 ... access-list 111 permit tcp any host 217.146.127.18 eq 21 ...
    (comp.dcom.sys.cisco)
  • Setting the MTU
    ... I've been getting odd problems with a VPN between two 837 routers and it's ... access-list 23 permit 192.168.128.0 0.0.0.255 ... access-list 111 permit tcp any host 333.333.333.18 eq 21 ...
    (comp.dcom.sys.cisco)
  • Re: [fw-wiz] VPN NAT issue
    ... a low security interface to a higher one so put a translation in for the ... net to the vpn pool either by static or nat0. ... would be IN2 int to OUT and for nat0 apply it to IN2 where the rules ... stipulate the src from IN2 net to the vpn local pool. ...
    (Firewall-Wizards)
  • Re: [fw-wiz] VPN NAT issue
    ... an acl is needed for vpn traffic. ... If you allow the vpn pool ips in from the outside how would the ... would be IN2 int to OUT and for nat0 apply it to IN2 where the rules ...
    (Firewall-Wizards)
  • Cisco 877 NAT and site-site VPN
    ... My internal network 10.10.10.0/24 is hidden behind the router's static external IP address using NAT. ... Now I am trying to set up a VPN to another company, ... access-list 103 permit ip 10.10.10.0 0.0.0.255 any ...
    (comp.dcom.sys.cisco)