Re: [fw-wiz] Pix to Pix VPN IPSec w/ PAT

From: John Adams (jna@retina.net)
Date: 03/24/03

  • Next message: Robert E. Martin: "[fw-wiz] two networks same proxy server"
    From: John Adams <jna@retina.net>
    To: Paul Matuszewski <sase@five-elements.com>
    Date: Mon, 24 Mar 2003 12:45:30 -0800 (PST)
    

    On Sun, 23 Mar 2003, Paul Matuszewski wrote:

    > Hey all.. newbie to the list here.. but I have a question for you all.
    >
    > I've looked everywhere, and my cisco rep has yet to get back to me..
    >
    > Is it possible to perform a CISCO pix501 to pix501 VPN w/ IPSec while still
    > utilizing PAT. The scenario is = Business Cable Modem to Business Cable
    > Modem... thoughts?

    If you mean running a PAT to the outside world while maintaining the
    internal (RFC1918) addressing between the two locations, this is
    entirely possible.

    Let's say the two networks are 10.20.1.0 and 10.10.1.0:

    Location 1) (the one with the 10.60.1.0 network)

    # first create the access lists for the VPN:
    access-list 10 permit ip 10.20.1.0 255.255.255.0 10.10.1.0 255.255.255.0

    # You'll have to ensure that you're not natting users through the VPN:
    access-list nonat permit ip 10.20.1.0 255.255.255.0 10.10.1.0 255.255.255.0

    # Set up your PAT (replace x.x.x.x with your outside PAT address)
    global (outside) 1 x.x.x.x
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    # build your vpn, replace y.y.y.y with your peer's address

    crypto ipsec transform-set regular esp-des esp-sha-hmac
    crypto map VPN 10 ipsec-isakmp
    crypto map VPN 10 match address 10
    crypto map VPN 10 set peer y.y.y.y
    crypto map VPN 10 set transform-set regular
    isakmp key <your key goes here> address y.y.y.y netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash sha
    isakmp policy 10 group 1
    sysopt connection permit-ipsec

    # always apply the maps last.
    isakmp enable outside
    crypto map VPN interface outside

    Now, invert the access lists for the remote site, and it'll work.

    -john

    -- 
    J. Adams					http://www.retina.net/~jna
    The secret of knowing where you are, is knowing what time it is. -- Anonymous
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Robert E. Martin: "[fw-wiz] two networks same proxy server"

    Relevant Pages