|
|
| Case Number |
K05272321 |
| Title |
How to configure Policy NAT for VPN traffic on PIX/ASA |
| Core issue |
With Policy NAT, the source address of interesting traffic can be changed to something else, especially in the case where there are networks that overlap. |
| Resolution |
In order to configure Policy NAT for VPN traffic, for example, to change the source address, refer to this configuration example. In this example, the internel network is 10.10.1.0/24.
- Create an access-list for Policy NAT with real source and a destination IP address.
access-list POLICYNAT extended permit ip 10.10.1.0 255.255.255.0 host 172.16.1.1
access-list POLICYNAT extended permit ip 10.10.1.0 255.255.255.0 1.1.1.0 255.255.255.0
- Create a static command that states that when source is 10.10.1.0 and destination is 172.16.1.1 or 1.1.1.0, change it to 172.16.5.0
static (inside,outside) 172.16.5.0 access-list POLICYNAT
- Create a crypto access-list with the source as the new IP address defined in Policy NAT, for example, 172.16.5.0.
access-list VPN extended permit ip 172.16.5.0 255.255.255.0 host 172.16.1.1
access-list VPN extended permit ip 172.16.5.0 255.255.255.0 1.1.1.0 255.255.255.0
crypto map VPN 10 match address VPN
|
| Problem Type |
Configure
Troubleshoot software feature |
| Product Family |
Firewall - PIX 500 series
ASA Hardware & Software |
| PIX Software Version |
PIX version 6.x
PIX version 7.x |
| ASA Software Version |
7.0
7.1
7.2 |
| PIX Model |
PIX 500 Series Firewall |
| ASA Models |
ASA 5520
ASA 5540
ASA 5500
ASA 5510 |
| VPN Tunnel End Points |
PIX
ASA |
| VPN Topology |
Lan-to-Lan |
| Features & Tasks |
Policy NAT |
| VPN Protocols |
IPSec |
| Direct URL |
http://www.ciscotaccc.com/security/showcase?case=K05272321 |
|
|
