Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN: Pix Headend with multiple L2L (client) networks with overlap networks

Hello,

There is probably an easy solution for this but I've been trying to configure this all day and haven't made any progress. I haven't found any documentation yet specific to my situation but from what I have read it does seem like this is possible.

I am trying to configure a scenario in my test lab where I have a Pix firewall at the main branch office connecting 2 remote (Client) sites (2801 routers) with overlapping networks via L2L IPSEC VPN. HTTPS traffic needs to be bi-directional between client sites and main branch office. Also I do not want clients accessing each others networks.

Main office: Pix version 8

internal 192.168.2.2

external 10.0.10.197

Client 1 office: Router2801a

external 10.0.11.15

internal 172.16.1.1 network 172.16.1.x/24

Client 2 office: Router2801b

external 10.0.11.16

internal 172.16.1.1 network 172.16.1.x/24

I'm thinking that the routers at the client sites need to NAT their private addresses prior to the VPN tunnel to a network other then 192.168.2.2. Maybe something like 192.168.200.x/24 and 192.168.201.x/24. How do I configure the pix to be able to route internally these addresses.

Any other EASIER or more viable solutions would be helpful.

UPDATE *** Ok so I created sub interfaces 192.168.200.1 and 192.168.201.1 (VLAN 2 and VLAN 3) on the Cisco pix and now router's use NAT to translate to an IP in those subnets. I can ping the subinterfaces on pix via the tunnel from the branch offices but cannot ping the Main office from the branch offices. Hopefully I can solve this.

Thanks,

Lance

  • Security Management
3 REPLIES

Re: VPN: Pix Headend with multiple L2L (client) networks with ov

Lance, have a question for you, have you looked into policy NAT at all, you should be able to NAT the traffic prior to exiting to the tunnel specially for the overlapping sites. There are quite few configuration examples out there for PIX/ASA to router or Router to router etc.. Policy NAT is your solution.

Let me know if I should throw you couple of links with examples for overlaping nets in L2L scenario.

Rgds

Jorge

New Member

Re: VPN: Pix Headend with multiple L2L (client) networks with ov

Thanks Jorge for the fast response but I was able to get it working.

On the pix I changed the security level of the sub interfaces to a higher value then the internal network and then on the routers added static routes to the outside interface of the pix. This is working so far.

Lance

Re: VPN: Pix Headend with multiple L2L (client) networks with ov

Lence, thanks for your update, good for you and glad you got a solution.

Rgds

Jorge

217
Views
0
Helpful
3
Replies
This widget could not be displayed.