I am going to show you how to do this. It is so easy
even you will be suprised by it.
LAN_A---RouterA----INTERNET----PixB---LAN_B
LAN_A = 192.168.103.0/24
LAN_B = 10.105.0.0/24
RouterA External IP = 1.1.1.1 (remote office)
PixB outside IP = 2.2.2.2 (HQ)
RouterA config:
access-list 101 permit ip 192.168.103.0 0.0.0.255 any
crypto isakmp key cisco add 2.2.2.2 no-xauth
crypto isakmp keep 10
crypto isakmp pol 1
auth pre
hash sha
encr aes 256
group 5
life 86400
crypto ipsec trans cisco esp-aes 256 esp-sha-hmac
crypto map cisco 10 ipsec-isakmp
set peer 2.2.2.2
set trans cisco
match address 101
set security life sec 3600
set pfs group5
interface F0/0
address 1.1.1.1 255.2552.255.240
crypto map cisco
PixB config:
isakmp identity address
isakmp enable outside
isakmp key cisco address 1.1.1.1 no-xauth
access-list nonat permit ip 10.105.0.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list VPN permit ip 192.168.103.0 255.255.255.0 any
access-list 101 permit ip 10.105.0.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list 101 permit ip any 192.168.103.0 255.255.255.0
nat (outside) 1 access-list VPN
global (outside) 1 interface
nat (inside) 1 0 0
nat (inside) 0 access-list nonat
same-security-traffic permit intra-interface
sysopt connection permit-ipsec
isakmp pol 1 auth pre
isakmp pol 1 encr aes-256
isakmp pol 1 hash sha
isakmp pol 1 group 5
isakmp pol 1 life 86400
crypto ipsec trans cisco esp-aes-256 esp-sha-hmac
crypto map cisco 10 ipsec-isakmp
crypto map cisco 10 set peer 1.1.1.1
crypto map cisco 10 set trans cisco
crypto map cisco 10 set group5
crypto map cisco 10 match address 101
crypto map cisco 10 set security life second 3600
crypto map cisco interface outside
now traffics from network 192.168.103.0/24 going to the Internet
will have to go over to the Pix firewall at the HQ side.
As I've said before, it is so easy even cavemen can do it
(Geico comercial) :-)
CCIE Security
