Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
401
Views
0
Helpful
3
Replies

VPN: Pix Headend with multiple L2L (client) networks with overlap networks

lancebarisdale
Level 1
Level 1

‎04-08-2008 01:31 PM - edited ‎02-21-2020 01:58 AM

Hello,

There is probably an easy solution for this but I've been trying to configure this all day and haven't made any progress. I haven't found any documentation yet specific to my situation but from what I have read it does seem like this is possible.

I am trying to configure a scenario in my test lab where I have a Pix firewall at the main branch office connecting 2 remote (Client) sites (2801 routers) with overlapping networks via L2L IPSEC VPN. HTTPS traffic needs to be bi-directional between client sites and main branch office. Also I do not want clients accessing each others networks.

Main office: Pix version 8

internal 192.168.2.2

external 10.0.10.197

Client 1 office: Router2801a

external 10.0.11.15

internal 172.16.1.1 network 172.16.1.x/24

Client 2 office: Router2801b

external 10.0.11.16

internal 172.16.1.1 network 172.16.1.x/24

I'm thinking that the routers at the client sites need to NAT their private addresses prior to the VPN tunnel to a network other then 192.168.2.2. Maybe something like 192.168.200.x/24 and 192.168.201.x/24. How do I configure the pix to be able to route internally these addresses.

Any other EASIER or more viable solutions would be helpful.

UPDATE *** Ok so I created sub interfaces 192.168.200.1 and 192.168.201.1 (VLAN 2 and VLAN 3) on the Cisco pix and now router's use NAT to translate to an IP in those subnets. I can ping the subinterfaces on pix via the tunnel from the branch offices but cannot ping the Main office from the branch offices. Hopefully I can solve this.

Thanks,

Lance

0 Helpful
3 Replies 3

JORGE RODRIGUEZ
Level 10
Level 10

‎04-08-2008 06:07 PM

Lance, have a question for you, have you looked into policy NAT at all, you should be able to NAT the traffic prior to exiting to the tunnel specially for the overlapping sites. There are quite few configuration examples out there for PIX/ASA to router or Router to router etc.. Policy NAT is your solution.

Let me know if I should throw you couple of links with examples for overlaping nets in L2L scenario.

Rgds

Jorge

Jorge Rodriguez
0 Helpful

lancebarisdale
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎04-08-2008 06:51 PM

Thanks Jorge for the fast response but I was able to get it working.

On the pix I changed the security level of the sub interfaces to a higher value then the internal network and then on the routers added static routes to the outside interface of the pix. This is working so far.

Lance

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to lancebarisdale

‎04-08-2008 07:32 PM

Lence, thanks for your update, good for you and glad you got a solution.

Rgds

Jorge

Jorge Rodriguez
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card