Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Router to PIX VPN...please help

I have two separate networks I need to bring together via a VPN tunnel. The local side has a 3660 router where one end of the vpn will terminate. The remote end will be a PIX 501.

The local network (3660 side) has an ip addressing scheme of 10.x.x.x, where as the remote network (PIX side) has a scheme of 172.16.x.x. I have four users who will be initiating a session from the local side to 3 different servers on the remote side (all servers have a 172.16.x.x address). I am new to VPNs so I am confused as to where I need to be NAT'ing and how to set it up. If my side connects with a 10.x address and needs to get to a server with a 172.16.x.x address, where does the NAT'ing take place and how would that look configuration wise? As said before, all traffic is initiated from the local (3660) side. I have looked at the Cisco docs but its not clear to me. Any guidance would be appreciated!

New Member

Re: Router to PIX VPN...please help

You don´t need to NAT. You must create a crypto-ACL in each peer, in the following fashion: permit ip

then create a crypto map:

crypto map crypto-map-Serial0 5 ipsec-isakmp

set peer (PIX Outside interface IP)

set security-association lifetime kilobytes 10000

set transform-set (a transform you must create before)

set pfs group2

match address crypto-ACL

Finally, apply the crypto to the serial int of the 3660

interface Serial0

crypto map crypto-map-Serial0

In the PIX, do the inverse way for the ACL. Use same transform set.



Re: Router to PIX VPN...please help

any nat in place already? or you don't do nat on both sites. in case you use nat already on one/both site, you need to do a no-nat. would you please post the configs.

CreatePlease to create content