Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Site to Site IPSec, PIX Version 6.3(5)

Hi,

My Local Subnet is  192.168.1.0/24 & 192.168.3.0/24. remote end also having same subnet.

We need to do Site to Site VPN with these detail:
My Public ip is 194.a.b.193 and Remote end peer IP is 100.a.b.19
Remote end natted IP is (100.a.c.198)

Query:

1. Is NAT allowed through IPsec?
2. Do i need GRE to run in this senario?

3.What will be intresting traffic access list on end A.

4. Any sample config guide/url for such senario

ip access-l Local permit host 100.a.c.198 host 194.a.b.193 ? or somting else

Please guide with some brief notes..

Thanks & regards

Amar

3 REPLIES

Re: Site to Site IPSec, PIX Version 6.3(5)

Hi Amar,

1. NAT is allowed through IPsec (and necessary when you have overlapping issues)

NAT occurs prior to encapsulation, therefore the traffic sent through the tunnel is already translated.

2. You don't need GRE for NAT.

GRE is needed to allow communication of non-IP traffic or non-unicast traffic.

If the requirement is to NAT the interesting traffic, there's no need for GRE (PIXes won't support GRE anyway)

3. The interesting traffic (if using NAT) will be the translated subnets.

If you translate site A to X and site B to Y, the interesting traffic will be between X and Y.

4. Not having a sample handy, let us know if you have any questions.

Federico.

New Member

Re: Site to Site IPSec, PIX Version 6.3(5)

please correct me if i am wrong, what i understood is:

1. I need to set peer as their public ips
2. then we can NAT the intrestting traffic with one public IP on both end.
3. and set a route with destination as remote public ips..
4. intresting acl should be: acces-l ipsec permit mask mask
=====================================================================================
Lets consider:
==============
Local lan subnet: 10.1.1.0/24
Local Public peer ip: 24.2.2.2
NATTed ip for LAN(10.1.1.0):24.2.2.3

Local lan subnet: 10.1.1.0/24
Remote peer ip: 30.2.2.2
NATTed ip for LAN(10.1.1.0):30.2.2.3

then configuration should be like:
========================
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encrypt 3des
crypto isakmp key cisco address 30.2.2.2
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list ipsectraffic permit ip 10.1.1.0 255.255.255.0 30.2.2.3 255.255.255.255

nat (inside) 1 access-list ipsec
global (outside) 1 24.2.2.3
crypto map toSanJose 20 ipsec-isakmp
crypto map toSanJose 20 match address ipsectraffic
crypto map toSanJose 20 set transform-set strong
crypto map toSanJose 20 set peer 30.2.2.2
crypto map toSanJose interface outside
sysopt connection permit-ipsec

Re: Site to Site IPSec, PIX Version 6.3(5)

Hi Amar,

Your understanding is correct for the most part, but I add an example for the Policy NAT:

Site A:

Local LAN = 192.168.1.0/24

NAT to = 10.1.1.0/24

Site B:

Local LAN = 192.168.1.0/24

NAT to = 10.2.2.0/24

Configuration for Site A:

access-list NAT permit ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0

static (inside,outside) 10.1.1.0 access-list NAT

access-list crypto permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

Configuration for Site B:

access-list NAT permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

static (inside,outside) 10.2.2.0 access-list NAT

access-list crypto permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

In this way, traffic will flow between both sites from 10.1.1.0/24 to 10.2.2.0/24 and vice versa.

The ''crypto'' ACL is the interesting traffic.

Federico.

271
Views
5
Helpful
3
Replies
CreatePlease to create content