Re: Weird nat (PIX 6.3.3)

From: "mcaissie" <mcaissie@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 28 Feb 2006 20:58:44 GMT

see below

"Alfred" <user@xxxxxxxx> wrote in message
news:du1l0p$91h$1@xxxxxxxxxxxxxxxxxx

Hello, here is the scenario,

Site in Paris:

external IP of the PIX: 195.238.14.14/28
internal IP of the PIX 192.168.10.1/25

Site in Madrid:

external IP of the PIX: 212.217.67.87/29
internal IP of the PIX: 10.10.10.1/25

Ok, the subnet in Paris has to show up in Madrid as 192.168.10.2, this ip
begets the source ip of any packets going through a VPN to reach any
devices in Madrid.

How do I do it?

I understand I need,

Same phase 1 and phase 2 on both sites,

on Paris, I need a nat0 access list like

access-list nat0 permit ip 192.168.10.2 255.255.255.255 10.10.10.0
255.255.255.128

an access-list that is going to match the crypto-map, like

access-list mymap permit ip 192.168.10.2 255.255.255.255 10.10.10.0
255.255.255.128

on Madrid, I need an access-list nat0

access-list nat0 permit ip 10.10.10.0 255.255.255.128 host 192.168.10.2

and

access-list mymap permit ip 10.10.10.0 255.255.255.128 host 192.168.10.2

My question is, how do I hide-nat Paris to make sure the traffic will not
be "nat 1 (inside)" to the external IP address of the firewall for web
browsing? I am afraid, there is like a race condition between the nat0 and
the nat 1.

There is no race condition , nat 0 (inside) is always processed first.

So all lines in your crypto acl must be added to the nat0 acl. Once
the
packet is triggered by nat 0 (inside) , it will not be NATed and will
continu to
the crypto engine. Traffic not defined in nat 0 (inside) will continu in
the nat process,
and if it's triggered by nat 1 (inside) it will be nated accordingly.

Would you tell me more on that?

Thank you,

Alfred

References:
- Weird nat (PIX 6.3.3)
  - From: Alfred

Prev by Date: Re: GRE high availability with HSRP routers
Next by Date: port security limitations on 3500s
Previous by thread: Weird nat (PIX 6.3.3)
Next by thread: tacacs-server key password
Index(es):
- Date
- Thread

Relevant Pages

Weird nat (PIX 6.3.3)
... external IP of the PIX: ... Ok, the subnet in Paris has to show up in Madrid as 192.168.10.2, this ip begets the source ip of any packets going through a VPN to reach any devices in Madrid. ... I need a nat0 access list like ...
(comp.dcom.sys.cisco)
Re: Hops? -- ATP Entry Ranking Points Questions
... He's quite clever actually - notice he leaves himself some room for manoeuvre each year by not putting himself in a position where he has to defend winners points from a lot of tournaments in a row. ... Did the same with one of Madrid and Paris last year - also Cincinnati 1R looked a bit like a tank job which allowed lots of points to be collected this year. ... That way if things are tight in the rankings next year at this time he knows he can pick up points by playing Paris. ...
(rec.sport.tennis)
Re: Nalbandian Stuffs Nadal Like a Turkey, Wins Paris Tennis Masters
... World No. 2 Rafael Nadal 64 60 to win the Paris Tennis Masters title, ... over Roger Federer two weeks ago. ... variety, Nalbandian matches up quite well against Nadal, but I admit I ... after winning just three games against Nalby in Madrid. ...
(rec.sport.tennis)
Re: Nalbandian Stuffs Nadal Like a Turkey, Wins Paris Tennis Masters
... World No. 2 Rafael Nadal 64 60 to win the Paris Tennis Masters title, ... variety, Nalbandian matches up quite well against Nadal, but I admit I ... after winning just three games against Nalby in Madrid. ...
(rec.sport.tennis)
Another question about European shul services
... I have another question about the shul services I went to in Paris and ... in Madrid a couple of years ago. ... in Paris and the largest synagogue in Madrid (ironically located ... How does the Shabbos service end in Israel? ...
(soc.culture.jewish.moderated)