Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
506
Views
0
Helpful
6
Replies

VPN with static NAT

zlabovic
Level 1
Level 1

‎07-30-2006 09:41 AM

Hello,

The network that I have is this

host1---/pix1/---/router/----/pix2/--/host2/

I want to create VPN between to PIXes.

host2 and all of the PIX2 interfaces have private IPs but for the sake of VPN and mutual communication between host1 and host2 I need publis addresses.

I have statically translated PIX2 outside IP to public on the router. I have statically translated host2 private IP to public.The VPN tunnel goes up, but the hosts do not communicate. I have for the sake of testing, permited all IP traffic so the problem is not in the ACLs.

When I set up VPN using private ip on PIX2 and no nat on router everything works fine so I have ruled out the option of misconfiguring the pixes.

I have put the appropriate static routes on the router. I am able to ping host1 and host2 from the router.

Are there any additional commands I should use on my router?

Labels:
0 Helpful
6 Replies 6

aghaznavi
Level 5
Level 5

‎08-04-2006 05:33 AM

Outside interface would generally have the public ip address in the same subnet as router.Static ip address could be configured for the system to communicate.Readd the NAT on the router.It should work fine

0 Helpful

zlabovic
Level 1
Level 1
In response to aghaznavi

‎08-09-2006 11:57 PM

Actually it did not. I tried what you have suggested. In the end, what worked was changing the IOS from 12.4 to 12.3

Worked like a charm.

0 Helpful

m-haddad
Level 5
Level 5
In response to zlabovic

‎08-11-2006 10:13 AM

YOu have to keep the hosts IPs private. You need to NAT the PIXs outside interfaces to public on the router.

Then you establish the VPN between the PIXs public IPs. Once established the IPSEC sa or ACLs should contain the private subnets and also NAT0 for them.

Let me know if this helps,

Regards,

0 Helpful

zlabovic
Level 1
Level 1
In response to m-haddad

‎08-14-2006 12:10 AM

I cannot keep the hosts on private IPs because the other side of my tunnel is requesting me to use pblic IPs for the hosts. But anyway, I have done as you have suggested only without nat0 (have put static NAT)and it worked on 12.3 and on 12.4 it did not work)

0 Helpful

m-haddad
Level 5
Level 5
In response to zlabovic

‎08-14-2006 08:04 AM

Hello,

Sorry didn't get what you tested. If you need to have public IPs for those hosts you should be able to do so by NATing them to public IPs and not using the NAT(0) for the ACL.

One important thing to note is that if you don't use NAT(0) the outside ACL applied on the outside interface should allow traffic from host 1 to host 2. This is because when using the NAT(0) the PIX knows that it does not have to match the traffic applied on the outside interface. If you don't use the NAT(0) you have to add a line that allows host2 to host 1 communication on the ACL applied on the outside. I guess this why it didn't work with you from the first time.

Let me know if the problem is solved,

Regards,

0 Helpful

m-haddad
Level 5
Level 5
In response to m-haddad

‎08-18-2006 09:53 AM

Any news?

0 Helpful
Customers Also Viewed These Support Documents