Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Basic VPN connection question

Hi

I need to set a site-to-site IPSEC VPN connection for the first time. I'm going to connect to one of our data feed suppliers, how have their internal IP as 10.30.0.0/16. However I already have this network setup on my end. I assume I have to use NAT here (not my best area). Can someone please point me to some configuration or how to begin this? I'm using a PIX-515 firewall.

Also they've asked me for our external IP that we are going to use to begin the VPN connection from. Currently I have one IP that is being used as our source address after internal traffic has been natted to it i.e 212.X.X.X. If I use this as the source address for teh VPN connection will it disrupt my normal traffic in anyway? i.e do I have to use a separate IP for VPN and a separate one for natting our internal IP's to go on the internet?

Thanks in advance

Dan

4 REPLIES

Re: Basic VPN connection question

Dan-

Here's a configuration example for NAT across a VPN tunnel. It is OK to use the same IP for VPN and internet traffic.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

Hope this helps.

Hall of Fame Super Blue

Re: Basic VPN connection question

Told you i was a slow typist !!

Re: Basic VPN connection question

PAYBACK! I type fast, but with all the mistakes I have to correct, it takes awhile.

Hall of Fame Super Blue

Re: Basic VPN connection question

Dan

In answer to your second question first. No you do not have to use separate IP's for VPN and internet. Just make sure that you use the Natted IP address in your crypto map access-list and not the original IP addresses.

Your first question. Yes you need to use NAT. You need to

1) Choose an unused IP address(es) to use for NAT for the remote servers eg. 192.168.5.0/24

2) Lets say you have 2 servers you need to connect to at the remote site

10.30.0.10

10.30.0.11

static (outside,inside) 192.168.5.10 10.30.0.10 netmask 255.255.255.255

static (outside,inside) 192.168.5.11 10.30.0.11 netmask 255.255.255.255

When your clients want to connect to 10.30.0.10 then they use the 192.168.5.10 address and ditto for .11

You need to make sure that when a client on your network tries to connect a 192.168.5.x address it gets routed to the inside interface of your firewall.

Jon

115
Views
8
Helpful
4
Replies