Lan-to-Lan Over NATted connection

Unanswered Question
Jan 24th, 2008

Hi all.

Anyone has successfully configured a lan-to-lan between two pix, both with private address on outside, statically natted on ISP router?

Pix1----R1-----Internet-----R2----Pix2

Pix1 has IP add 10.1.1.1, on R1 there's a nat rule like

ip nat inside source static 10.1.1.1 88.10.1.1

Pix2 has IP add 10.2.2.1, on R2 there's a nat rule like

ip nat inside source static 10.2.2.1 89.20.1.1

Till now I've always used static ip configured on outside interfaces; or one pix with static ip and the other configured like easy-vpn-client with net-extension mode.

In this case I don't have any public ip, excluding the one on router.

Thanks

Daniele

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
ajagadee Thu, 01/24/2008 - 06:53

Assuming that you want to encrypt the LAN behind the Pixes, this should work as far as the IPSEC peers are 88.10.1.1 and 89.20.1.1 and you not blocking UDP Port 500 and Protocol 50 on the router and Pix.

Regards,

Arul

** Please rate helpful posts **

dimensyssrl Thu, 01/24/2008 - 08:17

thanks for your reply

I thought that can be a problem, because the pix use its true ip (private ip) to encrypt, and the packet encrypted is modified in transit by nat device

Is it not a problem?

ajagadee Thu, 01/24/2008 - 08:42

Pix1----R1-----Internet-----R2----Pix2

Pix1 has IP add 10.1.1.1, on R1 there's a nat rule like

ip nat inside source static 10.1.1.1 88.10.1.1

Pix2 has IP add 10.2.2.1, on R2 there's a nat rule like

ip nat inside source static 10.2.2.1 89.20.1.1

In the above scenario, lets say the LAN 1 Behind the Pix 1 is 192.168.1.0/24 and LAN 2 Behind the Pix 2 is 192.168.2.0/24. And you want to encrypt the traffic between LAN1 and LAN2 using Pix 1 and Pix 2.

Traffic Flow from Pix 1 to Pix 2

Now, the source and destination IP Address will be encrypted, that is 192.168.1.0/24 and 192.168.2.0/24 but the encrypted packet's source IP will be 10.1.1.1 and destination IP will be 89.20.1.1. When this packet hits R1, the router will translate the source IP of the packet to 88.10.1.1.

Traffic Flow from Pix 2 to Pix 1

Now, the source and destination IP Address will be encrypted, that is 192.168.2.0/24 and 192.168.1.0/24 but the encrypted packet's source IP will be 10.2.2.1 and destination IP will be 88.10.1.1. When this packet hits R2, the router will translate the source IP of the packet to 89.20.1.1.

So, I dont see an issue with this configuration.

Regards,

Arul

** Please rate helpful posts **

srue Fri, 01/25/2008 - 07:38

make sure nat-t is enabled.

crypto isakmp nat-traversal

also, allow udp/4500 to each pix from the other pix'es public IP.

Actions

This Discussion