We have a remote location with a PIX 515 and our HQ that has a PIX 525 that we would like to tie together with a VPN tunnel for certain applications. The issue is we have overlapping networks. Both locations use 10.x.x.x
I have a VPN 3000 Concentrator that I could use rather than the PIX at HQ which the internal network is a 172.x.x.x and is routable on the internal network.
Can I create a tunnel between the PIX and the VPN and NAT the external PIX connections with the 172.x.x.x network. The remote network workstations are using a 10.10.x.x but I also have the 10.10.x.x network at HQ. How would the routing work on the VPN or do I need to just route the 10.10.x.x over the tunnel or by PATing the remote IPs I just use the PATed addresses as the route back?
will the users from both the ends accesss all the /24 ip addresses or just a server? in case the traffic is only to a server, just do a static nat for the server and then encrypt the traffic. if not, do a pat or dynamic nat at the source and encrypt the traffic...
It helps but the problem is this article looks to be for all traffic. What I need to do is on the remote network is more like split tunnel. I need to NAT traffic slated for a particular service to go down the VPN tunnel and NAT to a particular IP pool. But I also need it to use the Internet NAT pool for all other applications. Likewise for the HQ office. Because of overlapping networks.
So if I have a client in the remote office with an IP of 10.10.1.1
They want to access a service that is on the VPN tunnel they get NATed to a 172.x.x.x address. On the HQ end I would route anything for 172.x.x.x to the VPN so that the service at HQ would know how to get back to the remote office. Possible?
Did you figure out your problem? I have same issue. Cisco VPN concentrators handle this kind of situations with 4-5 clicks. I really miss the VPN Concentrator for its capability of letting you apply NAT or Traffic policy per IPSEC session. On PIX, IOS or ASA, all NAT seems to be global not per specific to ipsec session.
But ipsec tunnel can not setup.Debug information show me error message "proxy identities not supported".The cisco document told me that this message appears in debugs if the access list for IPsec traffic does not match.
I belive that the static translations on pix 2 are not needed. Try it. In translations like this the source and destinations will be teoreticly ok but this will be out of sesion packets.
Wen pix 1 translate outbound packet the pasket will have source 10.1.1.x and destination 192.168.1.x the pix 2 get that and send it to host. Host answer to destination 10.1.1.x and from his source 192.168.1.x and when pix 2 make translation on this packet the packet will have destination 192.168.1.x and source 10.2.2.x and the pix 1 waiting on packet from the source 192.168.1.0 and to destination 10.1.1.0.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :