Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

pix and cisco concentrator vpn problem

Dear All,

I need to setup the vpn tunnel between 2 sites.One site has the concentrator another site has the pix 515E.The site engineer from the concentrator side given the below details to configure the pix in my site.

Concentrator site Tunel ip : 168.x.x10

Phase-1 Setting

Phase 2 settings

Key id

I prefered the both crypto map and isakmp policy then applied it to the firewall and tested found that no tunnel establishment.

They mainly accessing our server with 192.168.100.9.

They want me to translate this ip then do the vpn tunnel config. I confused and come to netpro to get your help.

Please tell me how can i do the tunnel with one site (remote) legal ip address subnet (168.x.x.0/24) and my site rfc 1819 address (192.168.100.0/24)with the ip address 192.168.100.9 to be translated first before the ip sec config.

Now i have to solve the problem asas.

Please help me.

swami

5 REPLIES

Re: pix and cisco concentrator vpn problem

Here is basic example on LAN-to-LAN vpn between PIX and vpn concentrator.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

Jorge

Community Member

Re: pix and cisco concentrator vpn problem

Dear,

In real config, the remote admin ask me not to do the anting. So i translated the local server 192.168.100.9 to the loval legal ip given by ISP then the legal ip i made the crypo acl.Now i need to proceed further to finish the config.

thanks

swami

Community Member

Re: pix and cisco concentrator vpn problem

Your crypto access-list needs to specify the NAT'ed IP address(es) going to the remote site 168.x.x.0/24 network. You're going to need to NAT the appropriate traffic using policy NAT - nat (inside) 1 access-list NAT-TO-VPN3000.

access-list NAT-TO-VPN3000 permit ip host 192.168.100.9 168.x.x.0 255.255.x.x

Basically, you want to NAT prior to encrypting your VPN traffic. Your crypto ACL must be an exactly mirror of the remote side

Community Member

Re: pix and cisco concentrator vpn problem

Dear,

Thanks.

Here the remote engr asked me not to do the nat.

so i did the static (inside,outside) 193.188.x.13 192.168.0.9 netmask 255.255.255.255

then in crypto acl

access-list ul_vpn permit host 193.188.x.13 168.x.x.0 255.255.255.0

crypto map vpn 140 address ul_vpn

I left is ur solu of policy nat.

tell me if i do the nat (inside)1 acl then it would use global outside of pix outside address.please explain bit more.

Really it is helpful to me.

please i need to know bit more

swami

Community Member

Re: pix and cisco concentrator vpn problem

I'm confused about what the vpn requirements are. If the remote engineer doesn't want you to NAT the 192.168.0.9 host then you create an ACL and NAT statement like the ones below.

access-list NO-NAT-ACL permit ip host 192.168.0.9 168.x.x.0 255.255.255.0

nat (inside) 0 access-list NO-NAT-ACL

138
Views
0
Helpful
5
Replies
CreatePlease to create content