07-30-2006 09:41 AM
Hello,
The network that I have is this
host1---/pix1/---/router/----/pix2/--/host2/
I want to create VPN between to PIXes.
host2 and all of the PIX2 interfaces have private IPs but for the sake of VPN and mutual communication between host1 and host2 I need publis addresses.
I have statically translated PIX2 outside IP to public on the router. I have statically translated host2 private IP to public.The VPN tunnel goes up, but the hosts do not communicate. I have for the sake of testing, permited all IP traffic so the problem is not in the ACLs.
When I set up VPN using private ip on PIX2 and no nat on router everything works fine so I have ruled out the option of misconfiguring the pixes.
I have put the appropriate static routes on the router. I am able to ping host1 and host2 from the router.
Are there any additional commands I should use on my router?
08-04-2006 05:33 AM
Outside interface would generally have the public ip address in the same subnet as router.Static ip address could be configured for the system to communicate.Readd the NAT on the router.It should work fine
08-09-2006 11:57 PM
Actually it did not. I tried what you have suggested. In the end, what worked was changing the IOS from 12.4 to 12.3
Worked like a charm.
08-11-2006 10:13 AM
YOu have to keep the hosts IPs private. You need to NAT the PIXs outside interfaces to public on the router.
Then you establish the VPN between the PIXs public IPs. Once established the IPSEC sa or ACLs should contain the private subnets and also NAT0 for them.
Let me know if this helps,
Regards,
08-14-2006 12:10 AM
I cannot keep the hosts on private IPs because the other side of my tunnel is requesting me to use pblic IPs for the hosts. But anyway, I have done as you have suggested only without nat0 (have put static NAT)and it worked on 12.3 and on 12.4 it did not work)
08-14-2006 08:04 AM
Hello,
Sorry didn't get what you tested. If you need to have public IPs for those hosts you should be able to do so by NATing them to public IPs and not using the NAT(0) for the ACL.
One important thing to note is that if you don't use NAT(0) the outside ACL applied on the outside interface should allow traffic from host 1 to host 2. This is because when using the NAT(0) the PIX knows that it does not have to match the traffic applied on the outside interface. If you don't use the NAT(0) you have to add a line that allows host2 to host 1 communication on the ACL applied on the outside. I guess this why it didn't work with you from the first time.
Let me know if the problem is solved,
Regards,
08-18-2006 09:53 AM
Any news?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide