Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN site to site tunnel

We have a remote location with a PIX 515 and our HQ that has a PIX 525 that we would like to tie together with a VPN tunnel for certain applications. The issue is we have overlapping networks. Both locations use 10.x.x.x

I have a VPN 3000 Concentrator that I could use rather than the PIX at HQ which the internal network is a 172.x.x.x and is routable on the internal network.

Can I create a tunnel between the PIX and the VPN and NAT the external PIX connections with the 172.x.x.x network. The remote network workstations are using a 10.10.x.x but I also have the 10.10.x.x network at HQ. How would the routing work on the VPN or do I need to just route the 10.10.x.x over the tunnel or by PATing the remote IPs I just use the PATed addresses as the route back?

5 REPLIES

Re: VPN site to site tunnel

hello

in case of overlapping networks, you need to do natting before encryption. anyway nat takes preference over IPSEC.. you can either do a PAT or dynamic NAT before encrypting the traffic..

check this config example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml#diag

will the users from both the ends accesss all the /24 ip addresses or just a server? in case the traffic is only to a server, just do a static nat for the server and then encrypt the traffic. if not, do a pat or dynamic nat at the source and encrypt the traffic...

hope this helps.. all the best...

Raj

New Member

Re: VPN site to site tunnel

It helps but the problem is this article looks to be for all traffic. What I need to do is on the remote network is more like split tunnel. I need to NAT traffic slated for a particular service to go down the VPN tunnel and NAT to a particular IP pool. But I also need it to use the Internet NAT pool for all other applications. Likewise for the HQ office. Because of overlapping networks.

So if I have a client in the remote office with an IP of 10.10.1.1

They want to access a service that is on the VPN tunnel they get NATed to a 172.x.x.x address. On the HQ end I would route anything for 172.x.x.x to the VPN so that the service at HQ would know how to get back to the remote office. Possible?

New Member

Re: VPN site to site tunnel

Did you figure out your problem? I have same issue. Cisco VPN concentrators handle this kind of situations with 4-5 clicks. I really miss the VPN Concentrator for its capability of letting you apply NAT or Traffic policy per IPSEC session. On PIX, IOS or ASA, all NAT seems to be global not per specific to ipsec session.

New Member

Re: VPN site to site tunnel

I also have issue with the same situation.

pix1:

access-list nonat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside x.x.x.x 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

sysopt connection permit-ipsec

static (outside,inside) 10.2.2.0 192.168.1.0 netmask 255.255.255.0 0 0

static (inside,outside) 10.1.1.0 192.168.1.0 netmask 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0

crypto ipsec transform-set vpnset esp-des esp-md5-hmac

crypto map vpnmap 10 ipsec-isakmp

crypto map vpnmap 10 match address nonat

crypto map vpnmap 10 set peer y.y.y.y

crypto map vpnmap 10 set transform-set vpnset

crypto map vpnmap interface outside

isakmp enable outside

isakmp key ******** address y.y.y.y netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

pix2:

access-list nonat permit ip 10.2.2.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside y.y.y.y 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

static (outside,inside) 10.1.1.0 192.168.1.0 netmask 255.255.255.0 0 0

static (inside,outside) 10.2.2.0 192.168.1.0 netmask 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0

sysopt connection permit-ipsec

crypto ipsec transform-set vpnset esp-des esp-md5-hmac

crypto map vpnmap 10 ipsec-isakmp

crypto map vpnmap 10 match address nonat

crypto map vpnmap 10 set peer x.x.x.x

crypto map vpnmap 10 set transform-set vpnset

crypto map vpnmap interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

But ipsec tunnel can not setup.Debug information show me error message "proxy identities not supported".The cisco document told me that this message appears in debugs if the access list for IPsec traffic does not match.

what can i do next?

Thanks a lot

New Member

Re: VPN site to site tunnel

I belive that the static translations on pix 2 are not needed. Try it. In translations like this the source and destinations will be teoreticly ok but this will be out of sesion packets.

Wen pix 1 translate outbound packet the pasket will have source 10.1.1.x and destination 192.168.1.x the pix 2 get that and send it to host. Host answer to destination 10.1.1.x and from his source 192.168.1.x and when pix 2 make translation on this packet the packet will have destination 192.168.1.x and source 10.2.2.x and the pix 1 waiting on packet from the source 192.168.1.0 and to destination 10.1.1.0.

150
Views
0
Helpful
5
Replies
CreatePlease to create content