Home 2 Lan IPSec VPN Tunnel with an Pix

Unanswered Question
Mar 16th, 2007
User Badges:

My home network is 192.168.1.1/24 the internal network for work is 192.168.1.1/24 Is there a setting in the Pix that will either change the Home's IP address to something else after creating the VPN tunnel so that I can actually talk to IPs on the work network or do I have to just change my IP scheme over to 10.0.0.1 for home? I would hope there would be a command to avoid having to do in the Pix.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Sat, 03/17/2007 - 12:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Yes you can hide all your 192.168.1.x IP addresses at home behind your public IP address of the outside interface on your pix.


So you would need to NAT all your private 192.168.1.x addresses


nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface


Then in your crypto map access-list that define interesting traffic for the VPN tunnel


access-list vpn_traffic permit ip host "public IP of your pix" 192.168.1.0 255.255.255.0"


Your home pix will NAT your 192.168.1.x addresses to the public ip of your pix then encrypt them and send them to your work site.


** Note that this solution assumes that all connections will be initiated from your home network to work. If you need to be able to initiate connections from work to home it can still be done but it is a more complicated configuration **


Let me know if you need more info.



HTH


Jon

ixholla69 Sat, 03/17/2007 - 17:20
User Badges:

I was looking at the command "IP Pool" is it possible when the User initiates a VPN connection to the Pix to make the Pix send a "Pooled IP" address of something else maybe?

Say for instance the Home user has a 192.168.1.1 address would it be possible to have the Pix send them a totally different address to use? Maybe something in the 10.0.0.1 Range? That'd probably be a little better for my case if that's possible.

Kamal Malhotra Sat, 03/17/2007 - 20:41
User Badges:
  • Cisco Employee,

Hi,


We have 3 main options.


1. We nat on the PIX (home device) and on the work device.


We nat it in such a way that when the traffic is going from home to work it appears as 192.168.2.0/24 and when the traffic is going from work to home it appears as 192.168.3.0/24. So the home actually access the 192.168.3.0 network the work accesses the 192.168.2.0/24 network. On the home PIX commands should look like :


access-list policy permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

static (inside,outside) 192.168.2.0 access-list policy


access-list vpn permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0


The second acl is the crypto ACL that is bound with the crypto map. You will get bidirectional traffic.


2. Implement the previous suggestion. The traffic will be uni-directional i.e. only the home will be able to access the work and NOT vice-versa.


3. Change the IP addressing of the home network.


HTH,


Please rate if it helps,


Regards,


Kamal

ixholla69 Sat, 03/17/2007 - 23:33
User Badges:

No no I think I didn't make myself clear there's no "Home Pix" it's just Home Initiating a VPN connection to the Pix at work.


So...

Home=192.168.1.1>>VPN------>WorkPix192.168.1.1


Is there a way to make it so that the Workpix

makes the Home192.168.1.1 Connection another IP address say 10.1.1.1? That way I could comminicate with the 192.168.1.1 Network on the other side of the WorkPix with no problems.


Sorry for the confusion

kaachary Sun, 03/18/2007 - 07:36
User Badges:
  • Cisco Employee,

I guess it would be best to change your home network to something other than 192.18.1.0/24 (Its highly recommended).


As with or without split tunneling, the directly connected network route will always take precedence, so you would not be able to communicate with your office network.


Change your local subnet, and the communication would be fine.


*Please rate if helped.


-Kanishka

Actions

This Discussion