host2 and all of the PIX2 interfaces have private IPs but for the sake of VPN and mutual communication between host1 and host2 I need publis addresses.
I have statically translated PIX2 outside IP to public on the router. I have statically translated host2 private IP to public.The VPN tunnel goes up, but the hosts do not communicate. I have for the sake of testing, permited all IP traffic so the problem is not in the ACLs.
When I set up VPN using private ip on PIX2 and no nat on router everything works fine so I have ruled out the option of misconfiguring the pixes.
I have put the appropriate static routes on the router. I am able to ping host1 and host2 from the router.
Are there any additional commands I should use on my router?
Outside interface would generally have the public ip address in the same subnet as router.Static ip address could be configured for the system to communicate.Readd the NAT on the router.It should work fine
I cannot keep the hosts on private IPs because the other side of my tunnel is requesting me to use pblic IPs for the hosts. But anyway, I have done as you have suggested only without nat0 (have put static NAT)and it worked on 12.3 and on 12.4 it did not work)
Sorry didn't get what you tested. If you need to have public IPs for those hosts you should be able to do so by NATing them to public IPs and not using the NAT(0) for the ACL.
One important thing to note is that if you don't use NAT(0) the outside ACL applied on the outside interface should allow traffic from host 1 to host 2. This is because when using the NAT(0) the PIX knows that it does not have to match the traffic applied on the outside interface. If you don't use the NAT(0) you have to add a line that allows host2 to host 1 communication on the ACL applied on the outside. I guess this why it didn't work with you from the first time.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :