Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
315
Views
8
Helpful
4
Replies

Basic VPN connection question

dan_track
Level 1
Level 1

‎06-11-2008 07:44 AM - edited ‎03-05-2019 11:33 PM

Hi

I need to set a site-to-site IPSEC VPN connection for the first time. I'm going to connect to one of our data feed suppliers, how have their internal IP as 10.30.0.0/16. However I already have this network setup on my end. I assume I have to use NAT here (not my best area). Can someone please point me to some configuration or how to begin this? I'm using a PIX-515 firewall.

Also they've asked me for our external IP that we are going to use to begin the VPN connection from. Currently I have one IP that is being used as our source address after internal traffic has been natted to it i.e 212.X.X.X. If I use this as the source address for teh VPN connection will it disrupt my normal traffic in anyway? i.e do I have to use a separate IP for VPN and a separate one for natting our internal IP's to go on the internet?

Thanks in advance

Dan

Labels:
0 Helpful
4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

‎06-11-2008 07:52 AM

Dan-

Here's a configuration example for NAT across a VPN tunnel. It is OK to use the same IP for VPN and internet traffic.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

Hope this helps.

Jon Marshall
Hall of Fame
Hall of Fame
In response to Collin Clark

‎06-11-2008 07:54 AM

Told you i was a slow typist !!

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to Jon Marshall

‎06-11-2008 07:57 AM

PAYBACK! I type fast, but with all the mistakes I have to correct, it takes awhile.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎06-11-2008 07:53 AM

Dan

In answer to your second question first. No you do not have to use separate IP's for VPN and internet. Just make sure that you use the Natted IP address in your crypto map access-list and not the original IP addresses.

Your first question. Yes you need to use NAT. You need to

1) Choose an unused IP address(es) to use for NAT for the remote servers eg. 192.168.5.0/24

2) Lets say you have 2 servers you need to connect to at the remote site

10.30.0.10

10.30.0.11

static (outside,inside) 192.168.5.10 10.30.0.10 netmask 255.255.255.255

static (outside,inside) 192.168.5.11 10.30.0.11 netmask 255.255.255.255

When your clients want to connect to 10.30.0.10 then they use the 192.168.5.10 address and ditto for .11

You need to make sure that when a client on your network tries to connect a 192.168.5.x address it gets routed to the inside interface of your firewall.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card