Home 2 Lan IPSec VPN Tunnel with an Pix

Unanswered Question
Mar 16th, 2007

My home network is 192.168.1.1/24 the internal network for work is 192.168.1.1/24 Is there a setting in the Pix that will either change the Home's IP address to something else after creating the VPN tunnel so that I can actually talk to IPs on the work network or do I have to just change my IP scheme over to 10.0.0.1 for home? I would hope there would be a command to avoid having to do in the Pix.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Sat, 03/17/2007 - 12:36

Hi

Yes you can hide all your 192.168.1.x IP addresses at home behind your public IP address of the outside interface on your pix.

So you would need to NAT all your private 192.168.1.x addresses

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

Then in your crypto map access-list that define interesting traffic for the VPN tunnel

access-list vpn_traffic permit ip host "public IP of your pix" 192.168.1.0 255.255.255.0"

Your home pix will NAT your 192.168.1.x addresses to the public ip of your pix then encrypt them and send them to your work site.

** Note that this solution assumes that all connections will be initiated from your home network to work. If you need to be able to initiate connections from work to home it can still be done but it is a more complicated configuration **

Let me know if you need more info.

HTH

Jon

ixholla69 Sat, 03/17/2007 - 17:20

I was looking at the command "IP Pool" is it possible when the User initiates a VPN connection to the Pix to make the Pix send a "Pooled IP" address of something else maybe?

Say for instance the Home user has a 192.168.1.1 address would it be possible to have the Pix send them a totally different address to use? Maybe something in the 10.0.0.1 Range? That'd probably be a little better for my case if that's possible.

Kamal Malhotra Sat, 03/17/2007 - 20:41

Hi,

We have 3 main options.

1. We nat on the PIX (home device) and on the work device.

We nat it in such a way that when the traffic is going from home to work it appears as 192.168.2.0/24 and when the traffic is going from work to home it appears as 192.168.3.0/24. So the home actually access the 192.168.3.0 network the work accesses the 192.168.2.0/24 network. On the home PIX commands should look like :

access-list policy permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

static (inside,outside) 192.168.2.0 access-list policy

access-list vpn permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

The second acl is the crypto ACL that is bound with the crypto map. You will get bidirectional traffic.

2. Implement the previous suggestion. The traffic will be uni-directional i.e. only the home will be able to access the work and NOT vice-versa.

3. Change the IP addressing of the home network.

HTH,

Please rate if it helps,

Regards,

Kamal

ixholla69 Sat, 03/17/2007 - 23:33

No no I think I didn't make myself clear there's no "Home Pix" it's just Home Initiating a VPN connection to the Pix at work.

So...

Home=192.168.1.1>>VPN------>WorkPix192.168.1.1

Is there a way to make it so that the Workpix

makes the Home192.168.1.1 Connection another IP address say 10.1.1.1? That way I could comminicate with the 192.168.1.1 Network on the other side of the WorkPix with no problems.

Sorry for the confusion

kaachary Sun, 03/18/2007 - 07:36

I guess it would be best to change your home network to something other than 192.18.1.0/24 (Its highly recommended).

As with or without split tunneling, the directly connected network route will always take precedence, so you would not be able to communicate with your office network.

Change your local subnet, and the communication would be fine.

*Please rate if helped.

-Kanishka

Actions

This Discussion