Solved: Re: PIX with VPN to Checkpoint with Overlapping Subnets

fcollett · ‎02-27-2008

I have a client with a PIX running 6.3 code.

They need to establish an IPSec Tunnel to one of their clients that has a Checkpoint firewall.

Both organizations are using 10.1.0.0 /16 and would like to nat the home office to 10.180.0.0 /16 and the remote client to 10.181.0.0.

The document on the Cisco website showing the PIX and the VPN Concentrator is less than helpful. I don't beleive the text describing the picture is correct.

Any help with the ACLs, and static NATs are greatly appreciated.

Jon Marshall · ‎02-27-2008

Frederik

Apologies, should have asked. Which office has the pix and which the checkpoint. I'll write this out as though both ends were pix firewalls if that is alright and we can see if that helps.

Remote end

==========

access-list NAT permit ip 10.1.0.0 255.255.255.0 host 10.180.1.103

nat (inside) 3 access-list NAT

global (outside) 10.181.0.0 255.255.0.0

NOTE: You could just NAT all the source 10.1.x.x address to one global IP address rather than the whole 10.181.0.0/16, up to you really.

Your crypto map access-list then needs to reference the Natted 10.181.x.x addressing rather than the 10.1.0.0 addressing.

access-list vpntraffic permit ip 10.181.0.0 255.255.0.0 host 10.180.1.103

Main office

===========

crpyto access-list should read

access-list vpntraffic permit ip host 10.180.1.103 10.181.0.0 255.255.0.0

And you will need a static translation for the inside client

static (inside,outside) 10.180.1.103 10.1.1.103 netmask 255.255.255.255

Does this help ?

Jon

View solution in original post

Jon Marshall · ‎02-27-2008

Frederik

Do both ends need to be able to initiate connections to each other or is the traffic one-way.

Could you give more details on what is natted and where ie.

10.1.0.0/16 - are these the client source IP

addresses.

What are the destination addresses and are they being natted.

It is all doable but a bit more info would be helpful.

Jon

fcollett · ‎02-27-2008

The client addresses are 10.1.0.0/16 at both sites.

Only one client work station at the main office is going to be accessed from the remote location. The ip address of that device is 10.1.1.103/32 which should be natted to 10.180.1.103/32.

Traffic coming from the remote office should be natted to 10.181.0.0/16.

Thanks

Jon Marshall · ‎02-27-2008

Frederik

Apologies, should have asked. Which office has the pix and which the checkpoint. I'll write this out as though both ends were pix firewalls if that is alright and we can see if that helps.

Remote end

==========

access-list NAT permit ip 10.1.0.0 255.255.255.0 host 10.180.1.103

nat (inside) 3 access-list NAT

global (outside) 10.181.0.0 255.255.0.0

NOTE: You could just NAT all the source 10.1.x.x address to one global IP address rather than the whole 10.181.0.0/16, up to you really.

Your crypto map access-list then needs to reference the Natted 10.181.x.x addressing rather than the 10.1.0.0 addressing.

access-list vpntraffic permit ip 10.181.0.0 255.255.0.0 host 10.180.1.103

Main office

===========

crpyto access-list should read

access-list vpntraffic permit ip host 10.180.1.103 10.181.0.0 255.255.0.0

And you will need a static translation for the inside client

static (inside,outside) 10.180.1.103 10.1.1.103 netmask 255.255.255.255

Does this help ?

Jon