I'm working on a situation where I need to do a LAN-to-LAN VPN, but where the "main" network already uses a PIX as their gateway.
Let me explain: Let's say we have 2 networks, 10.10.10.0 and 10.10.11.0 Currently, a PIX 515 services the 10.10.10.0 network, and a 515 on the other, as well.
Now, we want a VPN between the 2 sites, but instead of the 515 to the 515, we want to use the remote 515 to connect to a PIX 506 at the Main site, to create the tunnel.
I've got the tunnel up and active, but am having a routing/NAT issue (I think).
The main site uses their PIX as their default gateway, so let's say it's 10.10.10.254, and I've assigned the 506 an inside address of 10.10.10.246. On the .254, I tell it to route any traffic for the 10.10.11.0 network to the .246 PIX.
I realize this is tough to explain, but basically nothing works but the tunnel. I am able to ping devices on the other side of the VPN, using the .254 device... so the traffic is being routed properly through there. I'm guessing this is some sort of NAT issue, but I enabled the NAT traversal command that I thought would fix this.
Anyone have any advice? I realize we could do the VPN from the 515 to the 515, but they don't want to do it that way...they want one device dedicated to VPN at the main site.
Keep in mind that the PIX won't send icmp redirects to the clients even though it knows how to get to that network. You have to have a router as a default gateway if you want the clients on the 506 side of the network to get redirected to the 506. Or, you could put persistent routes in the client machines.
You really would be much better off using the 515 to terminate the tunnel instead of the 506.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...