Basic VPN connection question

Unanswered Question
Jun 11th, 2008
User Badges:

Hi


I need to set a site-to-site IPSEC VPN connection for the first time. I'm going to connect to one of our data feed suppliers, how have their internal IP as 10.30.0.0/16. However I already have this network setup on my end. I assume I have to use NAT here (not my best area). Can someone please point me to some configuration or how to begin this? I'm using a PIX-515 firewall.


Also they've asked me for our external IP that we are going to use to begin the VPN connection from. Currently I have one IP that is being used as our source address after internal traffic has been natted to it i.e 212.X.X.X. If I use this as the source address for teh VPN connection will it disrupt my normal traffic in anyway? i.e do I have to use a separate IP for VPN and a separate one for natting our internal IP's to go on the internet?


Thanks in advance

Dan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Jon Marshall Wed, 06/11/2008 - 07:54
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Told you i was a slow typist !!

Collin Clark Wed, 06/11/2008 - 07:57
User Badges:
  • Purple, 4500 points or more

PAYBACK! I type fast, but with all the mistakes I have to correct, it takes awhile.

Jon Marshall Wed, 06/11/2008 - 07:53
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Dan


In answer to your second question first. No you do not have to use separate IP's for VPN and internet. Just make sure that you use the Natted IP address in your crypto map access-list and not the original IP addresses.


Your first question. Yes you need to use NAT. You need to


1) Choose an unused IP address(es) to use for NAT for the remote servers eg. 192.168.5.0/24

2) Lets say you have 2 servers you need to connect to at the remote site


10.30.0.10

10.30.0.11



static (outside,inside) 192.168.5.10 10.30.0.10 netmask 255.255.255.255

static (outside,inside) 192.168.5.11 10.30.0.11 netmask 255.255.255.255


When your clients want to connect to 10.30.0.10 then they use the 192.168.5.10 address and ditto for .11


You need to make sure that when a client on your network tries to connect a 192.168.5.x address it gets routed to the inside interface of your firewall.


Jon

Actions

This Discussion