06-11-2008 07:44 AM - edited 03-05-2019 11:33 PM
Hi
I need to set a site-to-site IPSEC VPN connection for the first time. I'm going to connect to one of our data feed suppliers, how have their internal IP as 10.30.0.0/16. However I already have this network setup on my end. I assume I have to use NAT here (not my best area). Can someone please point me to some configuration or how to begin this? I'm using a PIX-515 firewall.
Also they've asked me for our external IP that we are going to use to begin the VPN connection from. Currently I have one IP that is being used as our source address after internal traffic has been natted to it i.e 212.X.X.X. If I use this as the source address for teh VPN connection will it disrupt my normal traffic in anyway? i.e do I have to use a separate IP for VPN and a separate one for natting our internal IP's to go on the internet?
Thanks in advance
Dan
06-11-2008 07:52 AM
Dan-
Here's a configuration example for NAT across a VPN tunnel. It is OK to use the same IP for VPN and internet traffic.
Hope this helps.
06-11-2008 07:54 AM
Told you i was a slow typist !!
06-11-2008 07:57 AM
PAYBACK! I type fast, but with all the mistakes I have to correct, it takes awhile.
06-11-2008 07:53 AM
Dan
In answer to your second question first. No you do not have to use separate IP's for VPN and internet. Just make sure that you use the Natted IP address in your crypto map access-list and not the original IP addresses.
Your first question. Yes you need to use NAT. You need to
1) Choose an unused IP address(es) to use for NAT for the remote servers eg. 192.168.5.0/24
2) Lets say you have 2 servers you need to connect to at the remote site
10.30.0.10
10.30.0.11
static (outside,inside) 192.168.5.10 10.30.0.10 netmask 255.255.255.255
static (outside,inside) 192.168.5.11 10.30.0.11 netmask 255.255.255.255
When your clients want to connect to 10.30.0.10 then they use the 192.168.5.10 address and ditto for .11
You need to make sure that when a client on your network tries to connect a 192.168.5.x address it gets routed to the inside interface of your firewall.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide