Prev: 2600 Memory Questions
Next: ipsec when one site has dynamic ip address
From: Darren on 24 Apr 2008 17:14
Due to some inflexibility on the part of a 3rd party I am faced with
adding NAT complexity to what was going to be a simple solution (public
to public VPN).

My network has a PIX pair running 6.3(5). There are several interfaces
and lots of NAT, Policy NAT etc. To keep thing simple the point of
interest are...

static (inside,outside) 62.X.X.1 172.16.1.1 netmask 255.255.255.255
static (inside,outside) 62.X.X.2 172.16.1.2 netmask 255.255.255.255

Originally my crypto-acl was going to use these 2 x public IP's. Now the
remote end is telling me that they will not do a public to public
connection and they insist that....

Their users will come from say 10.1.1.0/24 (on the outside) and will
target the above hosts 62.X.X.1 & .2 by the address 172.23.1.1 & 2
respectively.

So on my PIX I have to say, anything from a source address of
10.1.1.0/24 targeting a destination address of 172.23.1.1 & .2 NAT to
the real addresses of 172.16.1.1 & .2.

My second problem is I may have to modify the source address of the
traffic (10.1.1.0/24) as the main site I control uses various ranges in
10.0.0/8. With this in mind I take it I would need outside NAT.

Any help appreciated here.

I off to blow the dust off my PIX book now to see if I can find a good
example or two.

Regards

Darren
 | 
Pages: 1
Prev: 2600 Memory Questions
Next: ipsec when one site has dynamic ip address