04-08-2008 01:31 PM - edited 02-21-2020 01:58 AM
Hello,
There is probably an easy solution for this but I've been trying to configure this all day and haven't made any progress. I haven't found any documentation yet specific to my situation but from what I have read it does seem like this is possible.
I am trying to configure a scenario in my test lab where I have a Pix firewall at the main branch office connecting 2 remote (Client) sites (2801 routers) with overlapping networks via L2L IPSEC VPN. HTTPS traffic needs to be bi-directional between client sites and main branch office. Also I do not want clients accessing each others networks.
Main office: Pix version 8
internal 192.168.2.2
external 10.0.10.197
Client 1 office: Router2801a
external 10.0.11.15
internal 172.16.1.1 network 172.16.1.x/24
Client 2 office: Router2801b
external 10.0.11.16
internal 172.16.1.1 network 172.16.1.x/24
I'm thinking that the routers at the client sites need to NAT their private addresses prior to the VPN tunnel to a network other then 192.168.2.2. Maybe something like 192.168.200.x/24 and 192.168.201.x/24. How do I configure the pix to be able to route internally these addresses.
Any other EASIER or more viable solutions would be helpful.
UPDATE *** Ok so I created sub interfaces 192.168.200.1 and 192.168.201.1 (VLAN 2 and VLAN 3) on the Cisco pix and now router's use NAT to translate to an IP in those subnets. I can ping the subinterfaces on pix via the tunnel from the branch offices but cannot ping the Main office from the branch offices. Hopefully I can solve this.
Thanks,
Lance
04-08-2008 06:07 PM
Lance, have a question for you, have you looked into policy NAT at all, you should be able to NAT the traffic prior to exiting to the tunnel specially for the overlapping sites. There are quite few configuration examples out there for PIX/ASA to router or Router to router etc.. Policy NAT is your solution.
Let me know if I should throw you couple of links with examples for overlaping nets in L2L scenario.
Rgds
Jorge
04-08-2008 06:51 PM
Thanks Jorge for the fast response but I was able to get it working.
On the pix I changed the security level of the sub interfaces to a higher value then the internal network and then on the routers added static routes to the outside interface of the pix. This is working so far.
Lance
04-08-2008 07:32 PM
Lence, thanks for your update, good for you and glad you got a solution.
Rgds
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide