Basic VPN connection question

Unanswered Question
Jun 11th, 2008

Hi

I need to set a site-to-site IPSEC VPN connection for the first time. I'm going to connect to one of our data feed suppliers, how have their internal IP as 10.30.0.0/16. However I already have this network setup on my end. I assume I have to use NAT here (not my best area). Can someone please point me to some configuration or how to begin this? I'm using a PIX-515 firewall.

Also they've asked me for our external IP that we are going to use to begin the VPN connection from. Currently I have one IP that is being used as our source address after internal traffic has been natted to it i.e 212.X.X.X. If I use this as the source address for teh VPN connection will it disrupt my normal traffic in anyway? i.e do I have to use a separate IP for VPN and a separate one for natting our internal IP's to go on the internet?

Thanks in advance

Dan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Collin Clark Wed, 06/11/2008 - 07:57

PAYBACK! I type fast, but with all the mistakes I have to correct, it takes awhile.

Jon Marshall Wed, 06/11/2008 - 07:53

Dan

In answer to your second question first. No you do not have to use separate IP's for VPN and internet. Just make sure that you use the Natted IP address in your crypto map access-list and not the original IP addresses.

Your first question. Yes you need to use NAT. You need to

1) Choose an unused IP address(es) to use for NAT for the remote servers eg. 192.168.5.0/24

2) Lets say you have 2 servers you need to connect to at the remote site

10.30.0.10

10.30.0.11

static (outside,inside) 192.168.5.10 10.30.0.10 netmask 255.255.255.255

static (outside,inside) 192.168.5.11 10.30.0.11 netmask 255.255.255.255

When your clients want to connect to 10.30.0.10 then they use the 192.168.5.10 address and ditto for .11

You need to make sure that when a client on your network tries to connect a 192.168.5.x address it gets routed to the inside interface of your firewall.

Jon

Actions

This Discussion