VPN, NAT and Overlapping IP Space

Unanswered Question
Mar 27th, 2007
User Badges:

I'm needing to create a VPN tunnel between Bus-A and Bus-B

Bus-A has PIX506E running 6.3(5) that I admin

Bus-B has non-Cisco firewall (that I don't admin) and cannot NAT before IPSec

Bus-A has internal nets/routes same as Bus-B

Bus-A hosts on 10.1.1.0/24 need to access hosts on Bus-B 10.1.2.0/24

Bus-A hosts on 10.1.2.0/24 WILL NOT need to access hosts on Bus-B 10.1.2.0

How can I accomodate this on the PIX?


Thx,

Phil

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 03/27/2007 - 06:26
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Phil


You need to do two things.


1) You will need to NAT your source IP addresses.


So for example you have on your pix 506E


nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface


which NAT's all traffic to the outside IP address of your pix.

This may not accurately reflect your NAT setup - you may need to modify.


2) You need to present the external hosts as different host within your network.


Do you know if there is a subset of the 10.1.2.0/24 at the remote site you need to talk to ?


What you will need is a new subnet for site-A. Lets say you choose 192.168.1.0/24. This subnet must be routable to the inside interface of your pix firewall.


On your pix you need to set up static translations for these addresses to the real addresses at the other end ie.


static (outside,inside) 192.168.1.1 10.1.2.1 netmask 255.255.255.255

static (outside,inside) 192.168.1.2 10.1.2.2 netmask 255.255.255.255

etc....


Now your users when they want to connect to 10.1.2.1 at the remote site need to connect to 192.168.1.1. You can setup DNS entries to make this easier for your users.



HTH


Jon


Actions

This Discussion