Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PIX to ASA VPN using PAT

From: Gary Douglas <dougary () gmail com>
Date: Wed, 2 Apr 2008 13:32:47 -0500
Should not be too hard. Set up you NAT or PAT. Use the IP address out of your NAT or PAT fur you crypto map. I have done it before, it is not hard. Hopefully this is complete: 

# Set up object group to make ACL look neat and small
object-group network Tunnel-Host
 description the devices on end of tunnel
 network-object host YYY.YYY.YYY.YYY
     # IP address of the devices on other end of tunnel
# if you are NATing on both ends, this would be the AAA.AAA.AAA.AAA of the other end.
# Set up ACL for devices that need NATing, also used to restrict traffic in tunnel 
access-list NAT-Policy remark device that needs VPN access.
access-list NAT-Policy extended permit ip host xxx.xxx.xxx.xxx object- group Tunnel-Host 
     # IP address of the devices that need to enter tunnel

# Set up NAT or PAT.
nat (Inside) 20 access-list NAT-Policy
global (Outside) 20 AAA.AAA.AAA.AAA netmask 255.255.255.255
     # IP address to use for PAT or NAT
     # mask 255.255.255.255 = PAT
     # mask 255.255.255.0 = NAT

# Set up ACL for tunnel crypto map
access-list Tunnel-VPN-Outside-ACL remark NAT-Pool to tunnel
access-list Tunnel-VPN-Outside-ACL extended permit ip host AAA.AAA.AAA.AAA object-group Tunnel-Host 
     # IP address coming out of NAT or PAT

# Set up tunnel group
tunnel-group ZZZ.ZZZ.ZZZ.ZZZ type ipsec-l2l
tunnel-group ZZZ.ZZZ.ZZZ.ZZZ ipsec-attributes
 pre-shared-key *
     # IP address of other end of tunnel

# Create crypto map
crypto map VPN-Outside-map 40 match address Tunnel-VPN-Outside-ACL




Good luck
Gary Douglas



On Apr 2, 2008, at 9:28 AM, Richard Shaw wrote:


Hi,
I've got to setup a site to site vpn from a PIX 515E at my end to an ASA and It's been requested that I PAT the connection to a specific address.
My side of the network is NAT'd, so I want to allow one specific host from my inside network to get out out through the tunnel to their network. I've used the ADSM VPN wizard so because I don't have a vast amount of experience configuring them by hand.
Could anyone make any recommendations as to how I do the PAT side to it? 

Thanks in advance

Richard
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: