I have a PIX515E, (7.2.2) with several IPSEC VPN's configured. They are "subnet to subnet" with NAT-T. I need a new VPN to a new client that "prohibits routing private IP addresses within their network". So I guess I have to NAT my entire subnet to a private IP address before it goes through the tunnel. How would I do this using the ASDM. Any tips would be greatly appreciated, especially if you have dealt with this type of configuration before.
a. I need my internal network, (10.0.4.0/24), to show up as a public address on their internal network. My confusion is how do set that up? I have a couple of ideas but are not sure how they would work.
In the statement that is contradicing I meant to say "to a public IP address.
At any rate I am open to ideas.
At this point I do not have their peer ID or much other information except that they do not route private IP's from a vendors subnet, hence the statement "prohibits routing private IP address within their network".
The only other information that I have is that we will use rdp to connect to about 5 servers on the clients subnet.
I got mine figured out, maybe it will help you. (Changed the addresses a little for privacy)
First, the tunnel is setup to pass traffic between the public address I need to NAT to, and the addresses on the remote network (the rest of the tunnel parameters are omitted here as they are irrelevant) -
access-list outside_110_cryptomap extended permit ip 126.96.36.199 255.255.255.0 13
Then I create the dynamic NAT so that any traffic destined to 188.8.131.52 is first NAT'd from my PRIVATE address (172.16.0.0) to the PUBLIC address permitted throught the tunnel.
Global pool of addresses to NAT to -
global (outside) 3 184.108.40.206-220.127.116.11 netmask 255.255.255.0
Access-list that creates the dynamic mapping -
access-list inside_nat_outbound extended permit ip any 18.104.22.168 255.255.0.0
Basically those last two entries say, if traffic is bound for 22.214.171.124 nat it to global pool 3.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :