Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX-2-PIX VPN with overlapping NAT address spaces

Hi guys,

Hope someone will be able to help me with this.

I have to sites doing NAT behind PIX firewalls. Both of them use 10.1.1.0/24

for internal address space.

I want to creat a VPN tunnel between these two.

Obviously I have to NAT them again so that 10.1.1.0/24 is seen as different on either side.

I read the example on, but it wasn't of much help: http://www.cisco.com/en/US/partner/tech/tk648/tk367/technologies_configuration_example09186a00800949f1.shtml

I have a couple of questions:

- do I need public IP addresses to NAT or another private address will do fine?

- does doing a reverse NAT on PIX disrupt communication with other VPN enabled newtworks?

thanx for any help

4 REPLIES
Cisco Employee

Re: PIX-2-PIX VPN with overlapping NAT address spaces

Hi,

You can use a different private ip address space for the NATing and then Include the NATed ip address in your IPSec lan to lan tunnel.

Regards,

Arul

New Member

Re: PIX-2-PIX VPN with overlapping NAT address spaces

Hi,

I configured NAT on one of the PIX, brought up the VPN, but the ping is not successful.

The overlapping networks are within the range of 10.1.0.0 so I did:

static (outside, inside) 10.160.196.128 10.1.0.0 netmask 255.255.255.224 0 0

IPSec interesting traffic is from 10.1.0.0----->10.160.0.0

so the access lists should be:

access-list nonat permit ip 10.160.196.128 255.255.255.224 10.160.0.0 255.255.0.0

access-list remotelan permit ip 10.160.196.128 255.255.255.224 10.160.0.0 255.255.0.0

but whenever I use these access-lists nothing is being encrypted by IPsec.

If I change the access-lists to :

access-list nonat permit ip 10.1.1.0 255.255.255.0 10.160.0.0 255.255.0.0

access-list remotelan permit ip 10.1.1.0 255.255.255.0 10.160.0.0 255.255.0.0

traffice is being encrypted but the ping is not successful.

I am missing something but am not sure what.

- Is it necessary to have NAT on both PIXs?

- How I have to tell the firewall that any packet sourced from 10.1.0.0 should be included in IPsec?

Can someone help me with this.

Bronze

Re: PIX-2-PIX VPN with overlapping NAT address spaces

Hi ther,

You might be looking for a document that looks similar to:

http://www.cisco.com/warp/customer/707/vpn_pix_private.html

Hope that helps

Jazib

New Member

Re: PIX-2-PIX VPN with overlapping NAT address spaces

I found this link: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml

My question is, will it do a one to one mapping?  For example, will the translated ip 20.0.0.1 map to the real ip 10.0.0.1?

1133
Views
0
Helpful
4
Replies