IPSEC VPN with PAT for the interesting traffic

Unanswered Question
Oct 23rd, 2007
User Badges:

R1--PIX1 -----Ineternet----PIX2-----R2


Lo0R1-->1.1.1.1

PIX1(inside) -->10.1.1.10

PIX1(Outside) -->219.x.x.55


Lo0R2 -->2.2.2.2

PIX2(inside) -->20.1.1.10

PIX2(Outside) -->139.x.x.65



I need to configure IPSEC VPN between PIX1 ,PIX2 and the interesting traffic is between LO0R1,LO0R2 .

The problem is that the PIX2 allows the 219.25.4.55 only So i don't know how can i confgure that ?

Do i need to PAT the lo0R1 to 219.x.x.55 ? Do i need Nat-Traversal?


PIX1

====

interface Ethernet0

nameif outside

security-level 0

ip address 10.1.1.10 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 219.x.x.55 255.255.255.0

!

access-list encrypt extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0


access-list nonat extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

nat (inside) 0 access-list nonat


-------------------------

static (inside,outside) 1.1.1.1 219.25.4.55 netmask 255.255.255.255

-------------------------


crypto ipsec transform-set tset esp-3des esp-md5-hmac


crypto map myvpn 10 match address encrypt

crypto map myvpn 10 set peer 139.25.14.65

crypto map myvpn 10 set transform-set tset

crypto map myvpn interface outside

crypto isakmp enable outside


crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400


crypto isakmp nat-traversal 20


tunnel-group 139.25.14.65 type ipsec-l2l

tunnel-group 139.25.14.65 ipsec-attributes

pre-shared-key *

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
krishnakomiti Tue, 10/23/2007 - 03:06
User Badges:

Hi,


Please configure the below steps for VPN:


PIX---1

........................................


sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac



crypto map myvpn 20 ipsec-isakmp

crypto map myvpn 20 match address encrypt

crypto map myvpn 20 set peer 139.25.14.65

crypto map myvpn 20 set transform-set test



crypto map myvpn interface outside

isakmp enable outside

isakmp key ******** address 139.25.14.65 netmask 255.255.255.255

isakmp key ******** address 139.25.14.65 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000


access-list encrypt extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0


access-list nonat extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

nat (inside) 0 access-list nonat




Thanks ,

Krishna.


welcomeccie Tue, 10/23/2007 - 03:56
User Badges:

thanks Krishna for your reply but PIX2 permit only 219.25.4.55 so i should nat the interesting traffic to that ip and i can't use nat 0

sorghum_gao Thu, 10/25/2007 - 09:19
User Badges:

You can use easy vpn client mode to solve the problem.

Actions

This Discussion