Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

[Pix] VPN Site To Site with Nat

Hi all,

Can someone help me please

An inside server (192.168.92.6) need to access to a remote network 192.168.31.0.

A VPN site to site is established between Pix outside (192.168.111.6) and Multitech Firewall (192.168.111.200).

Now my inside server should connect to the remote network with this IP 172.20.20.6. So I have to Nat my inside server IP (192.168.92.6) to 172.20.20.6.

The remote network should connect to inside network by the 172.20.20.6.

My problem is I can establish a connexion to my inside network from the remote network but I cannot establish connexion (tcp) from my inside network to the remote network.

The weird thing is I can ping from both network each other.

This is my config below

access-list Outside_1_cryptomap extended permit ip 172.20.20.0 255.255.255.0 192.168.31.0 255.255.255.0

access-list Inside_nat_static extended permit ip host I92.168.92.6 192.168.31.0 255.255.255.0

static (Inside,Outside) Ip_172.20.20.6 access-list Inside_nat_static dns

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set pfs

crypto map Outside_map 1 set peer 192.168.111.200

crypto map Outside_map 1 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

service-policy global_policy global

tunnel-group 192.168.111.200 type ipsec-l2l

tunnel-group 192.168.111.200 ipsec-attributes

pre-shared-key *

Thanks for answers

1 REPLY
New Member

Re: [Pix] VPN Site To Site with Nat

ACL Outside_1_crytpomap defines a class C network for 172.20.20.0/24. In your descriptions you talk about just one server (172.20.20.6). Do you have other hosts in the 172.20.20.0/24 network that need to traverse the VPN? Should acl Outside_1_cryptomap be permit ip host 172.20.20.6 192.168.31.0 255.255.255.0?

Keep in mind that VPNs need to match both sides. Is the Multitech defining a single host or a class C network?

Rick

100
Views
0
Helpful
1
Replies