VPN, NAT and Overlapping IP Space

Phil Williamson · ‎03-27-2007

I'm needing to create a VPN tunnel between Bus-A and Bus-B

Bus-A has PIX506E running 6.3(5) that I admin

Bus-B has non-Cisco firewall (that I don't admin) and cannot NAT before IPSec

Bus-A has internal nets/routes same as Bus-B

Bus-A hosts on 10.1.1.0/24 need to access hosts on Bus-B 10.1.2.0/24

Bus-A hosts on 10.1.2.0/24 WILL NOT need to access hosts on Bus-B 10.1.2.0

How can I accomodate this on the PIX?

Thx,

Phil

Jon Marshall · ‎03-27-2007

Phil

You need to do two things.

1) You will need to NAT your source IP addresses.

So for example you have on your pix 506E

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

which NAT's all traffic to the outside IP address of your pix.

This may not accurately reflect your NAT setup - you may need to modify.

2) You need to present the external hosts as different host within your network.

Do you know if there is a subset of the 10.1.2.0/24 at the remote site you need to talk to ?

What you will need is a new subnet for site-A. Lets say you choose 192.168.1.0/24. This subnet must be routable to the inside interface of your pix firewall.

On your pix you need to set up static translations for these addresses to the real addresses at the other end ie.

static (outside,inside) 192.168.1.1 10.1.2.1 netmask 255.255.255.255

static (outside,inside) 192.168.1.2 10.1.2.2 netmask 255.255.255.255

etc....

Now your users when they want to connect to 10.1.2.1 at the remote site need to connect to 192.168.1.1. You can setup DNS entries to make this easier for your users.

HTH

Jon