Re: Portforwarding on NATed VPN

["Leinweber, James" <jiml () mail slh wisc edu>]

> I have IPSEC VPN between our LAN1 (192.168.10.0/24)  with PIX 506 and
> LAN2 (10.1.1.0/24) on the other side with some another Cisco.
> ... I need to allow  portforwarding ...

When I have private RFC1918 IP addresses on two sides of an IPSEC tunnel,
I just use static NAT between them. E.g. if your Pix interfaces
are lan1-out and lan1-in, lan2-out, lan2-in, and you have

object-group network lan1-ipsec
  network-object 192.168.10.0 255.255.255.0
object-group network lan2-ipsec 
  network-object 10.1.1.0 255.255.255.0
access-list ipsec-no-nat-12 extended permit ip object-group lan1-ipsec
object-group lan2-ipsec
access-list ipsec-no-nat-21 extended permit ip object-group lan2-ipsec
object-group lan1-ipsec

On lan1:

nat (lan1-in) 0 access-list ipsec-no-nat-12

On lan2:

nat (lan2-in) 0 access-list ipsec-no-nat-21

The crypto map ... match address ... statements can use the same access lists if
you like.

If you have multiple private subnets hung off each firewall,
e.g. "dmz" and "pci", then you may also want local static mappings
between those. For example, if the lan1-pci interface has subnet
192.168.11.0/24, you might want a statement like:

static (lan1-pci,lan1-dmz) 192.168.11.0 192.168.11.0 netmask 255.255.255.0

You'd also need to add 192.168.11.0/24 to the object groups for the nat 0
rule and ipsec tunnel match address too, of course.

-- Jim Leinweber
State Laboratory of Hygiene, University of Wisconsin - Madison
<jiml () slh wisc edu> 2810 Walton Commons West; phone +1 608 221 6281
PGP fp: 2E36 47BC DB03 57CE 86AD  19CC 41A1 9179   5C6B C8B9





_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards