05-24-2007 12:25 AM - edited 03-11-2019 03:19 AM
Dear All,
I need to setup the vpn tunnel between 2 sites.One site has the concentrator another site has the pix 515E.The site engineer from the concentrator side given the below details to configure the pix in my site.
Concentrator site Tunel ip : 168.x.x10
Phase-1 Setting
Phase 2 settings
Key id
I prefered the both crypto map and isakmp policy then applied it to the firewall and tested found that no tunnel establishment.
They mainly accessing our server with 192.168.100.9.
They want me to translate this ip then do the vpn tunnel config. I confused and come to netpro to get your help.
Please tell me how can i do the tunnel with one site (remote) legal ip address subnet (168.x.x.0/24) and my site rfc 1819 address (192.168.100.0/24)with the ip address 192.168.100.9 to be translated first before the ip sec config.
Now i have to solve the problem asas.
Please help me.
swami
05-24-2007 03:04 AM
Here is basic example on LAN-to-LAN vpn between PIX and vpn concentrator.
Jorge
05-25-2007 03:09 AM
Dear,
In real config, the remote admin ask me not to do the anting. So i translated the local server 192.168.100.9 to the loval legal ip given by ISP then the legal ip i made the crypo acl.Now i need to proceed further to finish the config.
thanks
swami
05-24-2007 07:39 AM
Your crypto access-list needs to specify the NAT'ed IP address(es) going to the remote site 168.x.x.0/24 network. You're going to need to NAT the appropriate traffic using policy NAT - nat (inside) 1 access-list NAT-TO-VPN3000.
access-list NAT-TO-VPN3000 permit ip host 192.168.100.9 168.x.x.0 255.255.x.x
Basically, you want to NAT prior to encrypting your VPN traffic. Your crypto ACL must be an exactly mirror of the remote side
05-25-2007 03:02 AM
Dear,
Thanks.
Here the remote engr asked me not to do the nat.
so i did the static (inside,outside) 193.188.x.13 192.168.0.9 netmask 255.255.255.255
then in crypto acl
access-list ul_vpn permit host 193.188.x.13 168.x.x.0 255.255.255.0
crypto map vpn 140 address ul_vpn
I left is ur solu of policy nat.
tell me if i do the nat (inside)1 acl then it would use global outside of pix outside address.please explain bit more.
Really it is helpful to me.
please i need to know bit more
swami
05-25-2007 08:07 AM
I'm confused about what the vpn requirements are. If the remote engineer doesn't want you to NAT the 192.168.0.9 host then you create an ACL and NAT statement like the ones below.
access-list NO-NAT-ACL permit ip host 192.168.0.9 168.x.x.0 255.255.255.0
nat (inside) 0 access-list NO-NAT-ACL
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: