Firewall Wizards mailing list archives
Re: Portforwarding on NATed VPN
From: "Leinweber, James" <jiml () mail slh wisc edu>
Date: Mon, 16 Jun 2008 14:22:29 -0500
I have IPSEC VPN between our LAN1 (192.168.10.0/24) with PIX 506 and LAN2 (10.1.1.0/24) on the other side with some another Cisco. ... I need to allow portforwarding ...
When I have private RFC1918 IP addresses on two sides of an IPSEC tunnel, I just use static NAT between them. E.g. if your Pix interfaces are lan1-out and lan1-in, lan2-out, lan2-in, and you have object-group network lan1-ipsec network-object 192.168.10.0 255.255.255.0 object-group network lan2-ipsec network-object 10.1.1.0 255.255.255.0 access-list ipsec-no-nat-12 extended permit ip object-group lan1-ipsec object-group lan2-ipsec access-list ipsec-no-nat-21 extended permit ip object-group lan2-ipsec object-group lan1-ipsec On lan1: nat (lan1-in) 0 access-list ipsec-no-nat-12 On lan2: nat (lan2-in) 0 access-list ipsec-no-nat-21 The crypto map ... match address ... statements can use the same access lists if you like. If you have multiple private subnets hung off each firewall, e.g. "dmz" and "pci", then you may also want local static mappings between those. For example, if the lan1-pci interface has subnet 192.168.11.0/24, you might want a statement like: static (lan1-pci,lan1-dmz) 192.168.11.0 192.168.11.0 netmask 255.255.255.0 You'd also need to add 192.168.11.0/24 to the object groups for the nat 0 rule and ipsec tunnel match address too, of course. -- Jim Leinweber State Laboratory of Hygiene, University of Wisconsin - Madison <jiml () slh wisc edu> 2810 Walton Commons West; phone +1 608 221 6281 PGP fp: 2E36 47BC DB03 57CE 86AD 19CC 41A1 9179 5C6B C8B9 _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Portforwarding on NATed VPN Petr Vyhnal (Jun 09)
- <Possible follow-ups>
- Re: Portforwarding on NATed VPN Leinweber, James (Jun 17)