Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
382
Views
0
Helpful
5
Replies

pix and cisco concentrator vpn problem

arumugasamy
Level 1
Level 1

‎05-24-2007 12:25 AM - edited ‎03-11-2019 03:19 AM

Dear All,

I need to setup the vpn tunnel between 2 sites.One site has the concentrator another site has the pix 515E.The site engineer from the concentrator side given the below details to configure the pix in my site.

Concentrator site Tunel ip : 168.x.x10

Phase-1 Setting

Phase 2 settings

Key id

I prefered the both crypto map and isakmp policy then applied it to the firewall and tested found that no tunnel establishment.

They mainly accessing our server with 192.168.100.9.

They want me to translate this ip then do the vpn tunnel config. I confused and come to netpro to get your help.

Please tell me how can i do the tunnel with one site (remote) legal ip address subnet (168.x.x.0/24) and my site rfc 1819 address (192.168.100.0/24)with the ip address 192.168.100.9 to be translated first before the ip sec config.

Now i have to solve the problem asas.

Please help me.

swami

Labels:
0 Helpful
5 Replies 5

JORGE RODRIGUEZ
Level 10
Level 10

‎05-24-2007 03:04 AM

Here is basic example on LAN-to-LAN vpn between PIX and vpn concentrator.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

Jorge

Jorge Rodriguez
0 Helpful

arumugasamy
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎05-25-2007 03:09 AM

Dear,

In real config, the remote admin ask me not to do the anting. So i translated the local server 192.168.100.9 to the loval legal ip given by ISP then the legal ip i made the crypo acl.Now i need to proceed further to finish the config.

thanks

swami

0 Helpful

palomoj
Level 1
Level 1

‎05-24-2007 07:39 AM

Your crypto access-list needs to specify the NAT'ed IP address(es) going to the remote site 168.x.x.0/24 network. You're going to need to NAT the appropriate traffic using policy NAT - nat (inside) 1 access-list NAT-TO-VPN3000.

access-list NAT-TO-VPN3000 permit ip host 192.168.100.9 168.x.x.0 255.255.x.x

Basically, you want to NAT prior to encrypting your VPN traffic. Your crypto ACL must be an exactly mirror of the remote side

0 Helpful

arumugasamy
Level 1
Level 1
In response to palomoj

‎05-25-2007 03:02 AM

Dear,

Thanks.

Here the remote engr asked me not to do the nat.

so i did the static (inside,outside) 193.188.x.13 192.168.0.9 netmask 255.255.255.255

then in crypto acl

access-list ul_vpn permit host 193.188.x.13 168.x.x.0 255.255.255.0

crypto map vpn 140 address ul_vpn

I left is ur solu of policy nat.

tell me if i do the nat (inside)1 acl then it would use global outside of pix outside address.please explain bit more.

Really it is helpful to me.

please i need to know bit more

swami

0 Helpful

palomoj
Level 1
Level 1
In response to arumugasamy

‎05-25-2007 08:07 AM

I'm confused about what the vpn requirements are. If the remote engineer doesn't want you to NAT the 192.168.0.9 host then you create an ACL and NAT statement like the ones below.

access-list NO-NAT-ACL permit ip host 192.168.0.9 168.x.x.0 255.255.255.0

nat (inside) 0 access-list NO-NAT-ACL

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card