02-03-2006 08:15 AM
We have a remote location with a PIX 515 and our HQ that has a PIX 525 that we would like to tie together with a VPN tunnel for certain applications. The issue is we have overlapping networks. Both locations use 10.x.x.x
I have a VPN 3000 Concentrator that I could use rather than the PIX at HQ which the internal network is a 172.x.x.x and is routable on the internal network.
Can I create a tunnel between the PIX and the VPN and NAT the external PIX connections with the 172.x.x.x network. The remote network workstations are using a 10.10.x.x but I also have the 10.10.x.x network at HQ. How would the routing work on the VPN or do I need to just route the 10.10.x.x over the tunnel or by PATing the remote IPs I just use the PATed addresses as the route back?
02-03-2006 09:12 AM
hello
in case of overlapping networks, you need to do natting before encryption. anyway nat takes preference over IPSEC.. you can either do a PAT or dynamic NAT before encrypting the traffic..
check this config example:
will the users from both the ends accesss all the /24 ip addresses or just a server? in case the traffic is only to a server, just do a static nat for the server and then encrypt the traffic. if not, do a pat or dynamic nat at the source and encrypt the traffic...
hope this helps.. all the best...
Raj
02-06-2006 12:08 PM
It helps but the problem is this article looks to be for all traffic. What I need to do is on the remote network is more like split tunnel. I need to NAT traffic slated for a particular service to go down the VPN tunnel and NAT to a particular IP pool. But I also need it to use the Internet NAT pool for all other applications. Likewise for the HQ office. Because of overlapping networks.
So if I have a client in the remote office with an IP of 10.10.1.1
They want to access a service that is on the VPN tunnel they get NATed to a 172.x.x.x address. On the HQ end I would route anything for 172.x.x.x to the VPN so that the service at HQ would know how to get back to the remote office. Possible?
10-24-2006 11:16 AM
Did you figure out your problem? I have same issue. Cisco VPN concentrators handle this kind of situations with 4-5 clicks. I really miss the VPN Concentrator for its capability of letting you apply NAT or Traffic policy per IPSEC session. On PIX, IOS or ASA, all NAT seems to be global not per specific to ipsec session.
10-25-2006 05:39 AM
I also have issue with the same situation.
pix1:
access-list nonat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
ip address outside x.x.x.x 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
sysopt connection permit-ipsec
static (outside,inside) 10.2.2.0 192.168.1.0 netmask 255.255.255.0 0 0
static (inside,outside) 10.1.1.0 192.168.1.0 netmask 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto map vpnmap 10 ipsec-isakmp
crypto map vpnmap 10 match address nonat
crypto map vpnmap 10 set peer y.y.y.y
crypto map vpnmap 10 set transform-set vpnset
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address y.y.y.y netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
pix2:
access-list nonat permit ip 10.2.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ip address outside y.y.y.y 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
static (outside,inside) 10.1.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (inside,outside) 10.2.2.0 192.168.1.0 netmask 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0
sysopt connection permit-ipsec
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto map vpnmap 10 ipsec-isakmp
crypto map vpnmap 10 match address nonat
crypto map vpnmap 10 set peer x.x.x.x
crypto map vpnmap 10 set transform-set vpnset
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
But ipsec tunnel can not setup.Debug information show me error message "proxy identities not supported".The cisco document told me that this message appears in debugs if the access list for IPsec traffic does not match.
what can i do next?
Thanks a lot
11-02-2006 02:27 AM
I belive that the static translations on pix 2 are not needed. Try it. In translations like this the source and destinations will be teoreticly ok but this will be out of sesion packets.
Wen pix 1 translate outbound packet the pasket will have source 10.1.1.x and destination 192.168.1.x the pix 2 get that and send it to host. Host answer to destination 10.1.1.x and from his source 192.168.1.x and when pix 2 make translation on this packet the packet will have destination 192.168.1.x and source 10.2.2.x and the pix 1 waiting on packet from the source 192.168.1.0 and to destination 10.1.1.0.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: