×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN site to site tunnel

Unanswered Question
Feb 3rd, 2006
User Badges:

We have a remote location with a PIX 515 and our HQ that has a PIX 525 that we would like to tie together with a VPN tunnel for certain applications. The issue is we have overlapping networks. Both locations use 10.x.x.x

I have a VPN 3000 Concentrator that I could use rather than the PIX at HQ which the internal network is a 172.x.x.x and is routable on the internal network.

Can I create a tunnel between the PIX and the VPN and NAT the external PIX connections with the 172.x.x.x network. The remote network workstations are using a 10.10.x.x but I also have the 10.10.x.x network at HQ. How would the routing work on the VPN or do I need to just route the 10.10.x.x over the tunnel or by PATing the remote IPs I just use the PATed addresses as the route back?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Fri, 02/03/2006 - 09:12
User Badges:
  • Red, 2250 points or more

hello


in case of overlapping networks, you need to do natting before encryption. anyway nat takes preference over IPSEC.. you can either do a PAT or dynamic NAT before encrypting the traffic..


check this config example:


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml#diag


will the users from both the ends accesss all the /24 ip addresses or just a server? in case the traffic is only to a server, just do a static nat for the server and then encrypt the traffic. if not, do a pat or dynamic nat at the source and encrypt the traffic...


hope this helps.. all the best...


Raj

tmcls Mon, 02/06/2006 - 12:08
User Badges:

It helps but the problem is this article looks to be for all traffic. What I need to do is on the remote network is more like split tunnel. I need to NAT traffic slated for a particular service to go down the VPN tunnel and NAT to a particular IP pool. But I also need it to use the Internet NAT pool for all other applications. Likewise for the HQ office. Because of overlapping networks.


So if I have a client in the remote office with an IP of 10.10.1.1

They want to access a service that is on the VPN tunnel they get NATed to a 172.x.x.x address. On the HQ end I would route anything for 172.x.x.x to the VPN so that the service at HQ would know how to get back to the remote office. Possible?

Did you figure out your problem? I have same issue. Cisco VPN concentrators handle this kind of situations with 4-5 clicks. I really miss the VPN Concentrator for its capability of letting you apply NAT or Traffic policy per IPSEC session. On PIX, IOS or ASA, all NAT seems to be global not per specific to ipsec session.



martin_lx1980 Wed, 10/25/2006 - 05:39
User Badges:

I also have issue with the same situation.

pix1:

access-list nonat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside x.x.x.x 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

sysopt connection permit-ipsec

static (outside,inside) 10.2.2.0 192.168.1.0 netmask 255.255.255.0 0 0

static (inside,outside) 10.1.1.0 192.168.1.0 netmask 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0

crypto ipsec transform-set vpnset esp-des esp-md5-hmac

crypto map vpnmap 10 ipsec-isakmp

crypto map vpnmap 10 match address nonat

crypto map vpnmap 10 set peer y.y.y.y

crypto map vpnmap 10 set transform-set vpnset

crypto map vpnmap interface outside

isakmp enable outside

isakmp key ******** address y.y.y.y netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

pix2:

access-list nonat permit ip 10.2.2.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside y.y.y.y 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

static (outside,inside) 10.1.1.0 192.168.1.0 netmask 255.255.255.0 0 0

static (inside,outside) 10.2.2.0 192.168.1.0 netmask 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0

sysopt connection permit-ipsec

crypto ipsec transform-set vpnset esp-des esp-md5-hmac

crypto map vpnmap 10 ipsec-isakmp

crypto map vpnmap 10 match address nonat

crypto map vpnmap 10 set peer x.x.x.x

crypto map vpnmap 10 set transform-set vpnset

crypto map vpnmap interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

But ipsec tunnel can not setup.Debug information show me error message "proxy identities not supported".The cisco document told me that this message appears in debugs if the access list for IPsec traffic does not match.

what can i do next?

Thanks a lot


-cybermen Thu, 11/02/2006 - 02:27
User Badges:

I belive that the static translations on pix 2 are not needed. Try it. In translations like this the source and destinations will be teoreticly ok but this will be out of sesion packets.

Wen pix 1 translate outbound packet the pasket will have source 10.1.1.x and destination 192.168.1.x the pix 2 get that and send it to host. Host answer to destination 10.1.1.x and from his source 192.168.1.x and when pix 2 make translation on this packet the packet will have destination 192.168.1.x and source 10.2.2.x and the pix 1 waiting on packet from the source 192.168.1.0 and to destination 10.1.1.0.

Actions

This Discussion