02-27-2008 11:49 AM - edited 02-21-2020 03:35 PM
I have a client with a PIX running 6.3 code.
They need to establish an IPSec Tunnel to one of their clients that has a Checkpoint firewall.
Both organizations are using 10.1.0.0 /16 and would like to nat the home office to 10.180.0.0 /16 and the remote client to 10.181.0.0.
The document on the Cisco website showing the PIX and the VPN Concentrator is less than helpful. I don't beleive the text describing the picture is correct.
Any help with the ACLs, and static NATs are greatly appreciated.
Solved! Go to Solution.
02-27-2008 01:05 PM
Frederik
Apologies, should have asked. Which office has the pix and which the checkpoint. I'll write this out as though both ends were pix firewalls if that is alright and we can see if that helps.
Remote end
==========
access-list NAT permit ip 10.1.0.0 255.255.255.0 host 10.180.1.103
nat (inside) 3 access-list NAT
global (outside) 10.181.0.0 255.255.0.0
NOTE: You could just NAT all the source 10.1.x.x address to one global IP address rather than the whole 10.181.0.0/16, up to you really.
Your crypto map access-list then needs to reference the Natted 10.181.x.x addressing rather than the 10.1.0.0 addressing.
access-list vpntraffic permit ip 10.181.0.0 255.255.0.0 host 10.180.1.103
Main office
===========
crpyto access-list should read
access-list vpntraffic permit ip host 10.180.1.103 10.181.0.0 255.255.0.0
And you will need a static translation for the inside client
static (inside,outside) 10.180.1.103 10.1.1.103 netmask 255.255.255.255
Does this help ?
Jon
02-27-2008 12:26 PM
Frederik
Do both ends need to be able to initiate connections to each other or is the traffic one-way.
Could you give more details on what is natted and where ie.
10.1.0.0/16 - are these the client source IP
addresses.
What are the destination addresses and are they being natted.
It is all doable but a bit more info would be helpful.
Jon
02-27-2008 12:49 PM
The client addresses are 10.1.0.0/16 at both sites.
Only one client work station at the main office is going to be accessed from the remote location. The ip address of that device is 10.1.1.103/32 which should be natted to 10.180.1.103/32.
Traffic coming from the remote office should be natted to 10.181.0.0/16.
Thanks
02-27-2008 01:05 PM
Frederik
Apologies, should have asked. Which office has the pix and which the checkpoint. I'll write this out as though both ends were pix firewalls if that is alright and we can see if that helps.
Remote end
==========
access-list NAT permit ip 10.1.0.0 255.255.255.0 host 10.180.1.103
nat (inside) 3 access-list NAT
global (outside) 10.181.0.0 255.255.0.0
NOTE: You could just NAT all the source 10.1.x.x address to one global IP address rather than the whole 10.181.0.0/16, up to you really.
Your crypto map access-list then needs to reference the Natted 10.181.x.x addressing rather than the 10.1.0.0 addressing.
access-list vpntraffic permit ip 10.181.0.0 255.255.0.0 host 10.180.1.103
Main office
===========
crpyto access-list should read
access-list vpntraffic permit ip host 10.180.1.103 10.181.0.0 255.255.0.0
And you will need a static translation for the inside client
static (inside,outside) 10.180.1.103 10.1.1.103 netmask 255.255.255.255
Does this help ?
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide