Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Simple VPN question

I am setting up a site to site VPN between two identical PIXs. My only worry is with the Nat statements in the example. In the current config all that there is listed for Nat is "nat (inside) 0 0.0.0.0 0.0.0.0" and there are a few static routes setup to route public IPs to private.

Should I leave out the Nat statements in the sample config or alter my current Nat settings?

Thanks

4 REPLIES
Silver

Re: Simple VPN question

Please post your config and I will help..

New Member

Re: Simple VPN question

here is the example of the code that Cisco said to input to config site-to-site vpn. Both of my firewall confs are almost identical.

hostname NewYork

isakmp enable outside

isakmp policy 9 authentication pre-share

isakmp policy 9 encrypt 3des

crypto isakmp key cisco1234 address 209.165.200.229

crypto ipsec transform-set strong esp-3des esp-sha-hmac

access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0

nat 0 access-list 90

nat (inside) 1 0 0

global (outside) 1 209.165.201.9-209.165.201.30

global (outside) 1 209.165.201.8

crypto map toSanJose 20 ipsec-isakmp

crypto map toSanJose 20 match address 90

crypto map toSanJose 20 set transform-set strong

crypto map toSanJose 20 set peer 209.165.200.229

crypto map toSanJose interface outside

sysopt connection permit-ipsec

What worries me is will the NAT statements in the above code interfere with my current conf. Here is what i have for NAT and the static routes i have setup

global (outside) 1 interface

nat (inside) 0 0.0.0.0 0.0.0.0

static (inside,outside) xxx.xxx.xxx.xxx 192.168.1.6 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.1.9 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.1.7 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.1.8 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.1.100 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.1.101 netmask 255.255.255.255

New Member

Re: Simple VPN question

no nat 1 should go with global 1.

nat 0 should be left to keep certain hosts from doing nat... nat 0 should reference an acl

see http://www.cisco.com/warp/public/110/38.html

tschuss,

Joe

Silver

Re: Simple VPN question

Here is what you need to do to fix the nat for the VPN and Internet access...

nat (inside) 0 access-list 90

nat (inside) 1 0 0

global (outside) 1 209.165.201.9-209.165.201.30

global (outside) 1 209.165.201.8

108
Views
0
Helpful
4
Replies
CreatePlease login to create content